On 26.01.10 15:28, Brian Mearns wrote: > I'm looking for some clarification on how to setup a reverse proxy > that supports SSL/TLS. My understanding is as follows (please correct > me if I'm wrong): > 1. Client connects with SSL, mod_ssl handles this > 2. mod_proxy handles generating a proxy-request to the configured origin > server > 3. SSLProxyEngine should be set to on so that SSL is used to > communicate securely with the origin server.
why to have SSL proxy in this case? > What if any of the original client's SSL information is then available > to the origin server? For instance, can clients still present > certificates to authenticate with the origin server, or will that need > to be handled by the reverse proxy? If this authentication is handled > by the proxy, can the information from the client certificate be made > available to the origin server? you can only pass such infromations in request variables and the destination server will hav to trust the proxy. The proxy can not sign the data with clients certificate - it would need the clients private key. > Will the proxy try to use the same SSL parameters (protocol version, > ciphersuite, etc) as the client did, or will this information otherwise be > made available to the origin server? no. it will do complete different ssl negotiation. > Ideally, I'd like the proxy to be transparent to both the > origin server and the client. why do you want the proxy at all in this case? -- Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/ Warning: I wish NOT to receive e-mail advertising to this address. Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu. Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0... --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscr...@httpd.apache.org " from the digest: users-digest-unsubscr...@httpd.apache.org For additional commands, e-mail: users-h...@httpd.apache.org
