Re: [users@httpd] SSL and two apache servers -- making ssl relay work.

[PeterKorman <ca...@eigenvision.com>]

On Tue, Nov 12, 2002 at 12:48:35PM -0800, rdkurth@starband.net wrote:
> My questions are probably stupid but I am not sure what to even ask to
> get the answers I need so here goes.
> I have two Apache server installed on Linux.
> The first server handles all the virtual sites the second handles a
> control panel for managing the server. That is all it does it is not
> used for anything else.

If I understand your post correctly, I asked a general question like
this a while back. Never got an answer. I'd be happy with a text that
discusses the possibilities.  I wanna run a webmail server where you
run your control panel. Servers are on 2 different physical machines.  I
I can proxypass and proxypassreverse back and forth through to the second
machine until I want to use SSL. SSL breaks the path.

What I could find suggests that the SSL stuff must only be between the
client browser and the relay server (your virtual site server).  The
relay server must then exchange cleartext with the control panel. This
is (allegedly) because an SSL Server-End connection wont let a relay
machine know enough about the packets for the relay server to do its
job. Client to server relay works without a hitch through an SSL
pipe. But Server-to-Server-to-client is a different matter.

I don't have knowledge at the ladder diagram level for SSL.  I'd guess I
could give a more precise a (and more confusing) explanation if I did.

I'm not sure apache can do whats required, but I'd be delighted if it
could. I'm almost sure its a black art.  It's possible that you can do
all relays through squid. Squid advertises SSL proxy capability, but
back when I tried it, squid SSL proxy capability was still pretty new. I
ran too high on frustration and too low on energy before the solution
emerged.

Sorry I can't be more help.

Cheers,

JPK

Re: [users@httpd] SSL and two apache servers -- making ssl relay work.

[PeterKorman <ca...@eigenvision.com>]

On Tue, Nov 12, 2002 at 04:58:07PM -0800, J. Greenlees wrote:
> PeterKorman wrote:
> >On Tue, Nov 12, 2002 at 12:48:35PM -0800, rdkurth@starband.net wrote:
> >
> >>My questions are probably stupid but I am not sure what to even ask to
> >>get the answers I need so here goes.
> >>I have two Apache server installed on Linux.
> >>The first server handles all the virtual sites the second handles a
> >>control panel for managing the server. That is all it does it is not
> >>used for anything else.
> >
> >
> >If I understand your post correctly, I asked a general question like
> >this a while back. Never got an answer. I'd be happy with a text that
> >discusses the possibilities.  I wanna run a webmail server where you
> >run your control panel. Servers are on 2 different physical machines.  I
> >I can proxypass and proxypassreverse back and forth through to the second
> >machine until I want to use SSL. SSL breaks the path.
> >
> >What I could find suggests that the SSL stuff must only be between the
> >client browser and the relay server (your virtual site server).  The
> >relay server must then exchange cleartext with the control panel. This
> >is (allegedly) because an SSL Server-End connection wont let a relay
> >machine know enough about the packets for the relay server to do its
> >job. Client to server relay works without a hitch through an SSL
> >pipe. But Server-to-Server-to-client is a different matter.
> >
> >I don't have knowledge at the ladder diagram level for SSL.  I'd guess I
> >could give a more precise a (and more confusing) explanation if I did.
> >
> >I'm not sure apache can do whats required, but I'd be delighted if it
> >could. I'm almost sure its a black art.  It's possible that you can do
> >all relays through squid. Squid advertises SSL proxy capability, but
> >back when I tried it, squid SSL proxy capability was still pretty new. I
> >ran too high on frustration and too low on energy before the solution
> >emerged.
> >
> >Sorry I can't be more help.
>
> you would have to have a separate ssl connection between the two 
> servers, rather than the same one. it may only work if all traffic 
> between the two is on same certificate, then the proxy server sends to 
> client on the site's certificate.
> 
> haven't tried squid myself so I don't know if it would work for this.

Server to Server SSL? Can you suggest a document that discusses 
the particulars?

I guess internal servers could just keep a persistant SSL connection.
But I don't know how I would initiate that connection.

JPK

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] SSL and two apache servers -- making ssl relay work.

["J. Greenlees" <ja...@shaw.ca>]

you would have to have a separate ssl connection between the two 
servers, rather than the same one. it may only work if all traffic 
between the two is on same certificate, then the proxy server sends to 
client on the site's certificate.

haven't tried squid myself so I don't know if it would work for this.

PeterKorman wrote:
> On Tue, Nov 12, 2002 at 12:48:35PM -0800, rdkurth@starband.net wrote:
> 
>>My questions are probably stupid but I am not sure what to even ask to
>>get the answers I need so here goes.
>>I have two Apache server installed on Linux.
>>The first server handles all the virtual sites the second handles a
>>control panel for managing the server. That is all it does it is not
>>used for anything else.
> 
> 
> If I understand your post correctly, I asked a general question like
> this a while back. Never got an answer. I'd be happy with a text that
> discusses the possibilities.  I wanna run a webmail server where you
> run your control panel. Servers are on 2 different physical machines.  I
> I can proxypass and proxypassreverse back and forth through to the second
> machine until I want to use SSL. SSL breaks the path.
> 
> What I could find suggests that the SSL stuff must only be between the
> client browser and the relay server (your virtual site server).  The
> relay server must then exchange cleartext with the control panel. This
> is (allegedly) because an SSL Server-End connection wont let a relay
> machine know enough about the packets for the relay server to do its
> job. Client to server relay works without a hitch through an SSL
> pipe. But Server-to-Server-to-client is a different matter.
> 
> I don't have knowledge at the ladder diagram level for SSL.  I'd guess I
> could give a more precise a (and more confusing) explanation if I did.
> 
> I'm not sure apache can do whats required, but I'd be delighted if it
> could. I'm almost sure its a black art.  It's possible that you can do
> all relays through squid. Squid advertises SSL proxy capability, but
> back when I tried it, squid SSL proxy capability was still pretty new. I
> ran too high on frustration and too low on energy before the solution
> emerged.
> 
> Sorry I can't be more help.
> 
> Cheers,
> 
> JPK



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org