Simon Ritchie wrote: > > > No. Simple rewrite rule to proxy https traffic, generates https->https, > > which isn't decrypted to http, but passed as-is. > > I don't understand that. According to me, in an https transaction, the > request is encrypted as well as the response. To rewrite the request, the > proxy must be able to decrypt it, so the client must use keys supplied by > and usable by the proxy.
Yes. There are currently 4 types of SSL rewrite: 1. http->http. No SSL is involved. 2. The client generates a simple request, the proxy rewrites it to https and sends the request to an https server, an encrypted response comes from the server, decrypted by the proxy, and passed (as a simple response) to the client. 3. The client accesses the proxy as an https server, the proxy (using its own certificate key) decrypts it and generates a simple http request, sends it to the backend, receives a simple response, encrypts it, and sends it to the client. 4. https->https: this special mode was introduced a long time ago in mod_ssl under the title "EXPERIMENTAL", and became standard later. In this mode, the client accesses the proxy as an https server, then the proxy passes the encrypted request as-is to the backend, receives an encrypted response, which is passed back to the client as-is. How filtering of SSL requests/responses is done under Apache 2.0? (you may think about mod_deflate - which compresses the content - as an example). Simply: In mode #1, there is no problem at all. In mode #2, INPUT filters are inserted anywhere BEFORE the requests are encrypted, and OUTPUT filters are inserted anywhere AFTER the responses are decrypted. In mode #3, INPUT filters are inserted anywhere AFTER the requests are decrypted, and OUTPUT filters are inserted anywhere BEFORE the responses are encrypted. In mode #4 it is impossible. There is a workaround for #4: you can run 2 sessions of Apache (or different ports of the same Apache), one for https->http and one for http->https, and it should do the miracle. I think that Apache must support https->http->https in one pass, at least now that filtering is a standard infrastructure in Apache (2.0), and some standard modules are even based on it (such as mod_include). > Am I missing something here? No. -- Eli Marmor [EMAIL PROTECTED] CTO, Founder Netmask (El-Mar) Internet Technologies Ltd. __________________________________________________________ Tel.: +972-9-766-1020 8 Yad-Harutzim St. Fax.: +972-9-766-1314 P.O.B. 7004 Mobile: +972-50-23-7338 Kfar-Saba 44641, Israel
