[users@httpd] apache as ssl-proxy - recommended way?

[Stefan Bauer <st...@cubewerk.de>]

Dear Users,

what is the recommended way to achive the following:

Client-with-Smartphone -> domain:443(Apache) --> internal server (webmail:443)


We want to configure Apache2 as SSL-Proxy but are unsure which modules are required and if mod_ssl is required at all?

Please bring some light into that topic.

cheers


Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: AW: [users@httpd] apache as ssl-proxy - recommended way?

[Giles Coochey <gi...@coochey.net>]

On 14/05/2012 14:26, Stefan Bauer wrote:
>
> thank you for your answer. Unfortunately we want to have several machines behind the proxy. So if i understood you correctly, mod_ssl is required for mod_proxy even though we _only_ want to forward specific requests like .. ?
>
> domain:443/webmail -->  webmail:443
> domain:443/sharepoint -->  sharepoint:443
> domain:443/wiki -->  wiki:443
>
> The client should talk to the servers directly. according to the path /webmail or /sharepoint, the decisions should be made by apache to which server the forward is made.
>
>
Unfortunately, the URI path is not readable unless the proxy first 
decrypts the request. At which point there is no point in re-encrypting 
the data just to forward it to one of your web-farm servers.
A better way:

domain:443/webmail [Proxy, strip SSL (mod_ssl) , route (mod_proxy) ---> 
webmail:80
domain:443/sharepoint (Proxy, strip SSL, route) --> sharepoint:80

and so on.

The issue you may have is having unencrypted traffic between the proxy 
and your farm, you _can_ re-encrypt the traffic, but it's a pain and 
usually unnecessary overhead. You might be better off having host to 
host IPsec tunnels if you're concerned with traffic being visible on the 
wire.

Re: [users@httpd] apache as ssl-proxy - recommended way?

[Jonas Eckerman <jo...@truls.org>]

On 2012-05-14 15:26, Stefan Bauer wrote:

> Unfortunately we want to have several machines behind the proxy.

> The client should talk to the servers directly.

You have to decide wich it is. Either the client talks to a proxy that 
talks to the server OR the client talks directly to the server.

 > according to the path /webmail or /sharepoint, the decisions should
 > be made by apache to which server the forward is made.

"Forwarding" could mean proxying or redirecting. If you want the client 
to talk directly to the servers, you are looking at redirecting the 
request rather than proxying.

If you put the servers behind a proxy, the clients will not talk 
directly to the servers.

Regards
/Jonas
-- 
Jonas Eckerman
http://www.truls.org/

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

AW: [users@httpd] apache as ssl-proxy - recommended way?

[Stefan Bauer <st...@cubewerk.de>]

-----Ursprüngliche Nachricht-----
Von:	Giles Coochey <gi...@coochey.net>
Gesendet:	Mo 14.05.2012 14:45
Betreff:	Re: [users@httpd] apache as ssl-proxy - recommended way?
Anlage:	untitled
An:	users@httpd.apache.org; 
> On 14/05/2012 13:17, Stefan Bauer wrote:
> > Dear Users,
> >
> > what is the recommended way to achive the following:
> >
> > Client-with-Smartphone ->  domain:443(Apache) -->  internal server 
> (webmail:443)
> You can install Apache on a system to strip the SSL layer, but in the 
> diagram above it appears that your internal server is still running 
> HTTPS. If you just want to route HTTPS sessions (which are encrypted and 
> cannot be viewed or acted upon in any way) then you just want a firewall 
> with port forwarding.
> If you actually want to decrypt and then re-encrypt (why??) then you can 
> do this with mod_proxy and mod_ssl...

thank you for your answer. Unfortunately we want to have several machines behind the proxy. So if i understood you correctly, mod_ssl is required for mod_proxy even though we _only_ want to forward specific requests like .. ?

domain:443/webmail --> webmail:443
domain:443/sharepoint --> sharepoint:443
domain:443/wiki --> wiki:443

The client should talk to the servers directly. according to the path /webmail or /sharepoint, the decisions should be made by apache to which server the forward is made.

thank you in advance

stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] apache as ssl-proxy - recommended way?

[Giles Coochey <gi...@coochey.net>]

On 14/05/2012 13:17, Stefan Bauer wrote:
> Dear Users,
>
> what is the recommended way to achive the following:
>
> Client-with-Smartphone ->  domain:443(Apache) -->  internal server (webmail:443)
You can install Apache on a system to strip the SSL layer, but in the 
diagram above it appears that your internal server is still running 
HTTPS. If you just want to route HTTPS sessions (which are encrypted and 
cannot be viewed or acted upon in any way) then you just want a firewall 
with port forwarding.
If you actually want to decrypt and then re-encrypt (why??) then you can 
do this with mod_proxy and mod_ssl...
>
> We want to configure Apache2 as SSL-Proxy but are unsure which modules are required and if mod_ssl is required at all?
>
> Please bring some light into that topic.
>