You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modproxy-dev@apache.org by Michael <ip...@hotmail.com> on 2002/06/27 02:49:06 UTC

Reverse Proxy https question

I am trying to Reverse Proxy HTTPS connections in the following manner:

CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, posing as secure-site.com (non-ssl, non-decrypting, just passing the https through) -> Sonicwall SSL Accelerator (a stand-alone HW device for  SSL decryption/encryption, hosting the certificate for secure-site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)

The purpose for this design is to keep the webserver behind a layer of switches (for VLANS and ACLS) and Cisco Content Servers (which act as a router and load balancer) and keep the Apache proxy server as the "edge presence" of the website. 

What happens with this configuration is:
1) The client browser connects to the Apache proxy
2) The Apache proxy server connects to the SSL accelerator with HTTPS sucessfully, as seen in the debug-level Apache log files. 
3) The browser waits, waits and waits...
4) The Apache proxy sits, sits and sits. 
5) The Webserver DOES see the non-ssl connection. The information in the access log is:
    "Client IPAddress - - [25/Jun/2002:17:04:18 -0700] "?L / HTTP/1.0" 302 0 "
5) Eventually the client browser gives up and times out.

If I install the certificate for secure-site.com on the Apache reverse proxy server and enable SSL , then the Apache reverse proxy will connect with SSL to both the browser and the downstream webserver. This works, but is pointless as it loads the Proxy server's CPU with SSL encryption/decryption. That's what we have the SSL accelerators for.


What is missing in my config? Is this setup even possible?
Any comments?

Thanks in advance.

-Michael


--------------


This is the Apache config I am using:
----------
Listen IPAddress:443
LogLevel debug
<VirtualHost IPAddress:443>
        SSLProxyEngine On
        ServerName              web-site
        ProxyPass               /       https://secure-site.com
        ProxyPassReverse        /       https://secure-site.com
</VirtualHost>


------------
Server version: Apache/2.0.39
Server built:   Jun 25 2002 16:11:49

-----------
Compiled in modules:
  core.c
  mod_access.c
  mod_auth.c
  mod_include.c
  mod_log_config.c
  mod_env.c
  mod_setenvif.c
  mod_proxy.c
  proxy_connect.c
  proxy_ftp.c
  proxy_http.c
  mod_ssl.c
  prefork.c
  http_core.c
  mod_mime.c
  mod_status.c
  mod_autoindex.c
  mod_asis.c
  mod_cgi.c
  mod_negotiation.c
  mod_dir.c
  mod_imap.c
  mod_actions.c
  mod_userdir.c
  mod_alias.c
  mod_so.c

Re: Reverse Proxy https question

Posted by Graham Leggett <mi...@sharp.fm>.

Michael wrote:

> I am trying to Reverse Proxy HTTPS connections in the following manner:
>  
> CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, 
> posing as secure-site.com (non-ssl, non-decrypting, just passing the 
> https through)  -> Sonicwall SSL Accelerator (a stand-alone HW device
> for  SSL decryption/encryption, hosting the certificate 
> for secure-site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)
>  
> The purpose for this design is to keep the webserver behind a layer of 
> switches (for VLANS and ACLS) and Cisco Content Servers (which act as a 
> router and load balancer) and keep the Apache proxy server as the "edge 
> presence" of the website.

I don't know very much about SSL accelerators (is this a standalone 
server, or hardware acceleration for an existing server of some kind?), 
but regardless putting anything between the browser and the SSL 
accelerator isn't going to work. The connection between browser and 
accelerator is encrypted, so an HTTP proxy of any kind between them 
isn't going to serve any purpose.

> If I install the certificate for secure-site.com on the Apache reverse 
> proxy server and enable SSL , then the Apache reverse proxy will connect 
> with SSL to both the browser and the downstream webserver. This works, 
> but is pointless as it loads the Proxy server's CPU with SSL 
> encryption/decryption. That's what we have the SSL accelerators for.

> This is the Apache config I am using:
> ----------
> Listen IPAddress:443
> LogLevel debug
> <VirtualHost IPAddress:443>
>         SSLProxyEngine On
>         ServerName              web-site
>         ProxyPass               /       https://secure-site.com
>         ProxyPassReverse        /       https://secure-site.com
> </VirtualHost>

 From what it looks like, you have Apache listening on port 443 (the 
HTTPS port) without telling it to speak HTTPS, so the connection just hangs.

The second thing you have is that the Apache proxy is now talking SSL to 
the backend accelerator - which will increase your server load, not 
decrease it, as the content is being encrypted by the accelerator, 
decrypted by the proxy, encrypted a second time by the proxy, and given 
to the browser.

What you need to do is put the accelerator at the outside, which in turn 
talks unencrypted HTTP to Apache, which in turn talks unencrypted HTTP 
to the loadbalanced backend. Thus Apache does caching and URL management 
, but no encryption.

Regards,
Graham
-- 
-----------------------------------------
minfrin@sharp.fm 
	"There's a moon
					over Bourbon Street
						tonight..."