Jeffrey Burgoyne
Chief Technology Architect KCSI Keenuh Consulting Services Inc [EMAIL PROTECTED] On Wed, 13 Oct 2004, Eric J. Hansen wrote: > As an Apache2/mod_proxy user (not developer), I can speak for the following: > > > 1) SSL proxying. Due to security policies, we have a number > > of back end app servers that require SSL from the client to > > the server. Therefore SSL based proxying is a requirement. I > > have never seen a definitive statement as to whether SSL > > proxying is supported, but I've seen indications it is not, > > and confirmed in my tests that it did not work. Is there any > > plans to implement this feature? > > We're using Apache2 mod_proxy as a reverse proxy with mod_ssl enabled, > proxying to a back-end WWW server over https. My understanding is > that the proxy is an SSL termination point, and it then opens a > new SSL connection to the back-end. You need to install certs on > both Apache and the back-end (although they can be the exact > same cert.) You also need to specify the "SSLProxyEngine On" directive > in your httpd.conf file. Thanks, I think that is it. Coming from the 1.3 world I simply used an https in the url for the reverse. When looking at the web site, I thought all the proxy directives were under http://httpd.apache.org/docs-2.0/mod/mod_proxy.html . I missed the comment on the third paragraph of the summary. Perhaps that section should be a bit more prominent. > > A fact that you should also be aware of is that, technically speaking, > the request/response are being decrypted and re-encrypted in the > Apache mod_proxy process before being proxied onward to network. > Theoretically, this exposes you to man-in-the-middle issues... so good > host security and the latest patches are essential. Absolutely. In fact, most people where I am on contract think security is way overblown. We keep the whole environment very tightly locked down. > > cheers > Eric > >
