Re: [users@httpd] SSL session/key caching on reverse mod_proxy - does Apache (as client) cache the origin server's key?

Thu, 29 Jan 2009 19:43:58 -0800 

So you're saying that the server caches a value which it (itself)
generates?  I guess if this is true, then there is nothing for
mod_proxy (SSL) to cache when it is in the role of the client to the
back-end server...?

Also, not sure what you mean about "long lived connections in a pool".
 Last I knew, back-end persistent connections over SSL did not work
correctly in Apache 2.2.x.

JB


On Tue, Jan 27, 2009 at 7:33 PM, Eric Covener <cove...@gmail.com> wrote:
> On Tue, Jan 27, 2009 at 6:43 PM, Jeff Ambrosino <jbambros...@gmail.com> wrote:
>> I'm using Apache as a reverse proxy to a back-end (origin) web server,
>> handling SSL traffic.  I have SSLSessionCache enabled, which lets the
>> Apache server cache the client's public key to prevent the need to
>> renegotiate subsequent connections.  But my question is whether this
>> also helps when Apache itself is the client to the origin web server?
>> In other words, is Apache caching the back-end server's public key to
>> prevent the need to handshake SSL to the origin each and every
>> request?
>
> You don't cache the servers key, you cache an opaque sesssion ID that
> you've previously established. This should not be reused for a long
> period of time.
>
> I don't know if mod_proxy_http + SSLProxyEngine re-uses session IDs,
> but it's somewhat moot because it uses long-lived connections in a
> pool anyway.
>
> --
> Eric Covener
> cove...@gmail.com
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
>   "   from the digest: users-digest-unsubscr...@httpd.apache.org
> For additional commands, e-mail: users-h...@httpd.apache.org
>
>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org
   "   from the digest: users-digest-unsubscr...@httpd.apache.org
For additional commands, e-mail: users-h...@httpd.apache.org

Reply via email to