I think that you understood my original statement (but your implementation
isn't an example of what I meant).
Just to clarify, what I meant was that two separate SSL/TLS sessions should
exist, one between the client and the proxy server, and another between the
proxy server and the end web server.
Here's an attempt at an ascii art drawing of what I meant
Client internet Firewall Proxy Server (RP) DMZ Web
Server
x-----------------------443-----------x x-------------------x
(also 443)
Machines are on a DMZ because they may be compromised, so this way you can
assume that even if some machines on your DMZ are compromised, they still
can't sniff the traffic that is going between the Proxy Server and the Web
Server. You also have the benefit of the RP enforcing HTTP.
The RP would need to be a powerful box to handle two sets of ssl traffic per
connection.... You may decide that just having a switched DMZ is enough, and
that the risk / cost trade off doesn't justify a machine capable of handling
all that SSL traffic.
As far as I'm aware MS Proxy 2.0 isn't capable of two ssl sessions (as shown
above). Does anyone know for sure (or of any products that can) ?
Cheers,
Alex Hague :-)
-----Original Message-----
From: Brian Steele [mailto:[EMAIL PROTECTED]]
Sent: Friday, 16 February 2001 16:36
To: [EMAIL PROTECTED]
Subject: Re: Reverse proxy
I believe MSP2.0 works this way. In the case of our particular
implementation, an SSL link is created between the client and the proxy
server, but the link between the proxy server and internal server is via
basic http.
Or perhaps I'm just misunderstanding your statement :-).
Brian Steele
----- Original Message -----
From: "Hague, Alex" <[EMAIL PROTECTED]>
To: "Peter Bruderer" <[EMAIL PROTECTED]>
Cc: <[EMAIL PROTECTED]>
Sent: Thursday, February 15, 2001 8:19 PM
Subject: RE: Reverse proxy
[snip]
> In an ideal world you would have the SSL/TLS session terminating at the
> reverse proxy and another session being created between it and the web
> server it's talking to.
[snip]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
