I was curious about the last scenario. 2. The Server Side Proxy (a.k.a., Reverse Proxy)
Public Internet Intranet [browser]---------------------[proxy]----------[server] SSL plain In this case, does the proxy have to convert the URIs from browser as well as terminate the SSL connection? Specifically, does the proxy have to convert the URI from the browser by changing https:// to http:// to the server? Does the proxy have to convert the URI from the server by changing http:// to https:// when going in the reverse direction? Thanks, Bruce On Dec 7, 2007 6:35 PM, Nelson Bolyard <[EMAIL PROTECTED]> wrote: > Florian Weimer wrote, On 2007-12-07 02:54: > > Is it possible to configure NSS (or, more precisely, Firefox) to > > terminate SSL connections on the web proxy, so that the proxy receives > > requests in the clear (and handles the certificate verification)? > > I think, but am not certain, that you're describing something like this: > > Intranet public Internet > [browser]----------[proxy]---------------------[server] > plain SSL > > and you're asking if the browser can be configured so that when it > attempts to fetch an https URL, it does not use SSL itself, but sends > the request unencrypted as an http request to a proxy on the client's > side of the Internet, and SSL is used between the proxy and the server, > but not between the browser and the proxy. > > If that's what you're asking, the answer is: no. The browser cannot be > configured to fetch an https URL without using SSL itself. > > You might be asking about either of these alternatives, both of which > assume that the browser is attempting to fetch an https URL: > > 1. The Man-In-The-Middle proxy > > Intranet public Internet > [browser]----------[proxy]---------------------[server] > SSL SSL > > In this picture, the browser is using SSL to talk to the proxy, and > the proxy is using SSL to talk to the server. The SSL is not > "end to end". The proxy decrypts everything coming in one side and > encrypts it before sending it outside the other. This is called a > "Man In The Middle" (as I'm sure you know). It is possible to > configure a browser to work with such a proxy, by configuring the > browser to accept certificates from a pseudo-CA that operates in the > proxy. In the absence of such configuration, the browser should be able > to detect all attempts to do this, as being attacks on the secure > communications. (I'm sure you know this.) > > > 2. The Server Side Proxy (a.k.a., Reverse Proxy) > > Public Internet Intranet > [browser]---------------------[proxy]----------[server] > SSL plain > > Here the proxy acts as the server, as seen by the Internet. The browser > connects to the proxy via https with SSL, and the proxy sends the > request on to the true "back end" server as an ordinary http request, in > plain text, unencrypted. This sort of thing happens all the time, and > requires no special browser configuration. The browser simply thinks > that the proxy is the server in the https URL, and contacts it normally > with SSL. > > If you're asking about something else, please explain. > > _______________________________________________ > dev-tech-crypto mailing list > dev-tech-crypto@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-tech-crypto > _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto