[users@httpd] SSL Proxy to back end servers

[wi <ic...@gmail.com>]

Hi all

I have an Apache instance that is functioning as a reverse proxy for our app
server. For standard http, this works fine. However, we'd like to send SSL
traffic through the proxy to the back end server. I don't want to decrypt
the traffic at the Apache instance, just re-route it to the back end?

I can't seem to find a way to do this, without doing the decryption. Is
mod_proxy up for this?

thanks
Wayne

-- 
2X7 -> %A-3+ -> %K-7+ -> %9-?+ -> %Q-8 -> ?9-?9+

Re: [users@httpd] SSL Proxy to back end servers

[Joshua Slive <jo...@slive.ca>]

On 4/30/07, wi <ic...@gmail.com> wrote:
> Hi all
>
> I have an Apache instance that is functioning as a reverse proxy for our app
> server. For standard http, this works fine. However, we'd like to send SSL
> traffic through the proxy to the back end server. I don't want to decrypt
> the traffic at the Apache instance, just re-route it to the back end?
>
> I can't seem to find a way to do this, without doing the decryption. Is
> mod_proxy up for this?

I don't think you can reverse-proxy ssl. Since everything is
encrypted, there is nothing for a reverse-proxy to handle -- just a
raw stream of bytes. For a forward proxy, this is handled using the
CONNECT method; but obviously the client needs to know about the proxy
to use that.

Luckily there is an easy alternative. Just use "port forwarding" at
the OS or firewall-level. Since there is no processing that can be
done at the apache-level (due to the encryption) you don't lose
anything by doing simple port-forwarding.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org