Jeffrey Burgoyne

Chief Technology Architect
KCSI Keenuh Consulting Services Inc
[EMAIL PROTECTED]

On Wed, 13 Oct 2004, Eric J. Hansen wrote:

> As an Apache2/mod_proxy user (not developer), I can speak for the following:
>
> > 1) SSL proxying. Due to security policies, we have a number
> > of back end app servers that require SSL from the client to
> > the server. Therefore SSL based proxying is a requirement. I
> > have never seen a definitive statement as to whether SSL
> > proxying is supported, but I've seen indications it is not,
> > and confirmed in my tests that it did not work. Is there any
> > plans to implement this feature?
>
> We're using Apache2 mod_proxy as a reverse proxy with mod_ssl enabled,
> proxying to a back-end WWW server over https.  My understanding is
> that the proxy is an SSL termination point, and it then opens a
> new SSL connection to the back-end.  You need to install certs on
> both Apache and the back-end (although they can be the exact
> same cert.)  You also need to specify the "SSLProxyEngine On" directive
> in your httpd.conf file.

Thanks, I think that is it. Coming from the 1.3 world I simply used an
https in the url for the reverse.

When looking at the web site, I thought all the proxy directives were
under http://httpd.apache.org/docs-2.0/mod/mod_proxy.html . I missed the
comment on the third paragraph of the summary. Perhaps that section should
be a bit more prominent.



>
> A fact that you should also be aware of is that, technically speaking,
> the request/response are being decrypted and re-encrypted in the
> Apache mod_proxy process before being proxied onward to network.
> Theoretically, this exposes you to man-in-the-middle issues... so good
> host security and the latest patches are essential.

Absolutely. In fact, most people where I am on contract think security is
way overblown. We keep the whole environment very tightly locked down.


>
> cheers
> Eric
>
>

Reply via email to