I'm looking for some clarification on how to setup a reverse proxy that supports SSL/TLS. My understanding is as follows (please correct me if I'm wrong): 1. Client connects with SSL, mod_ssl handles this 2. mod_proxy handles generating a proxy-request to the configured origin server 3. SSLProxyEngine should be set to on so that SSL is used to communicate securely with the origin server.
What if any of the original client's SSL information is then available to the origin server? For instance, can clients still present certificates to authenticate with the origin server, or will that need to be handled by the reverse proxy? If this authentication is handled by the proxy, can the information from the client certificate be made available to the origin server? Will the proxy try to use the same SSL parameters (protocol version, ciphersuite, etc) as the client did, or will this information otherwise be made available to the origin server? Ideally, I'd like the proxy to be transparent to both the origin server and the client. Additionally, my origin server and reverse proxy are actually on the same machine, so I'm not especially concerned about securing communications between them, except that I would like all of the SSL-relevant information to be available to the origin server. Is there a way to do this without using secure communications between the proxy and origin server? My primary reason for not wanting to use secure connections here is to improve speed and avoid the increased drain on my entropy pool. Are these realistic concerns, or would the effect be negligible? Any help would be greatly appreciated. Thanks, -Brian -- Feel free to contact me using PGP Encryption: Key Id: 0x3AA70848 Available from: http://keys.gnupg.net --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
