On 3/14/2014 3:39 PM, Bill Beattie wrote: > > *Hello,* > > *Pardon my ignorance as I am new to Apache.* > > * * > > *We would like to use Apache 2.4 as a reverse proxy (located outside > firewall) to an internal IIS web server hosting an SSL based website.* > > *The basic install of Apache has been completed, running on a Windows > 2008 R2 box. I am using a compiled version of Apache.* > > *The IIS webserver is running on Windows 2008 R2.* > > *Question is should the SSL certificate be installed on the IIS > webserver, having the reverse proxy just direct traffic to it OR > should the SSL certificate be installed on the reverse proxy? Which > method is best for security? What steps are involved to configure the > Apache reverse proxy to make it work?* > > *I have spent a lot of time already reading through many documents, > etc but I cannot find any relating to my scenario.* > > *Thank you very much for your time. It is greatly appreciated!* >
Hi, Bill; Since the reverse proxy (httpd 2.4) is the server that will be handling the connection with the client, you will want to configure SSL on the reverse proxy. Tip: Configuration of SSL between httpd and IIS is optional but may be a good idea if IIS ever generates a full link or redirect. When httpd generates such things, it uses the protocol that it answered (so if you speak cleartext to apache, the Location header will have http://). My guess is that IIS would behave similarly. -- Daniel Ruggeri