Re: Reverse Proxy https question

27 Jun 2002 08:49:20 -0000 

Michael wrote:

I am trying to Reverse Proxy HTTPS connections in the following manner:
CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, posing as secure-site.com (non-ssl, non-decrypting, just passing the https through) -> Sonicwall SSL Accelerator (a stand-alone HW device
for SSL decryption/encryption, hosting the certificate for secure-site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)
The purpose for this design is to keep the webserver behind a layer of switches (for VLANS and ACLS) and Cisco Content Servers (which act as a router and load balancer) and keep the Apache proxy server as the "edge presence" of the website.

I don't know very much about SSL accelerators (is this a standalone server, or hardware acceleration for an existing server of some kind?), but regardless putting anything between the browser and the SSL accelerator isn't going to work. The connection between browser and accelerator is encrypted, so an HTTP proxy of any kind between them isn't going to serve any purpose.

If I install the certificate for secure-site.com on the Apache reverse proxy server and enable SSL , then the Apache reverse proxy will connect with SSL to both the browser and the downstream webserver. This works, but is pointless as it loads the Proxy server's CPU with SSL encryption/decryption. That's what we have the SSL accelerators for. 

This is the Apache config I am using:
----------
Listen IPAddress:443
LogLevel debug
<VirtualHost IPAddress:443>
        SSLProxyEngine On
        ServerName              web-site
        ProxyPass               /       https://secure-site.com
        ProxyPassReverse        /       https://secure-site.com
</VirtualHost>

From what it looks like, you have Apache listening on port 443 (the HTTPS port) without telling it to speak HTTPS, so the connection just hangs.

The second thing you have is that the Apache proxy is now talking SSL to the backend accelerator - which will increase your server load, not decrease it, as the content is being encrypted by the accelerator, decrypted by the proxy, encrypted a second time by the proxy, and given to the browser.

What you need to do is put the accelerator at the outside, which in turn talks unencrypted HTTP to Apache, which in turn talks unencrypted HTTP to the loadbalanced backend. Thus Apache does caching and URL management , but no encryption.

Regards,
Graham
--
-----------------------------------------
[EMAIL PROTECTED] "There's a moon
over Bourbon Street
tonight..."

Reply via email to