Am 07.02.2017 um 21:33 schrieb Yann Ylavic:
My point is that we are not changing/masquarading something which is remote here (like the client IP address), we are making so that the applications and httpd itself think they are locally talking SSL/TLS. Thus they will send things like "; Secure" cookies in "clear" on the wire, or anything which is expected to not be eavesdrop-able. I'd like others from the community to give their opinions here, for now I find this quite opposite to TLS principles/expectations...
it's exactly how it should work - proxy to backend unencrypted, caching on the proxy and transport security between proxy endpoint and web client
that is what is meant by "TLS offloading" - it's not your problem how secure that wire is, on our VMware-cluster the hosts even don#t talk about a switch - they are directly connected for internal traffic and so that wire is as secure as the virtual machine itself
