Hello Blair,
Sunday, August 15, 1999, you wrote:
BL> I'm looking for some good advice as to how to put mod-ssl behind a
BL> firewall such as fwtk.
BL> I think squid could be used, but I am not sure how. Does anyone know
BL> of a standard type of configuration for an SSL server?
BL> The idea is that the users might use the main web server until they
BL> need to use SSL stuff, and then they would be forwarded to an https
BL> behind the firewall. I guess the hurdle I am trying to get over is
BL> that allowing sessions behind the firewall can sometimes be a bad
BL> idea.
I've just done exactly this, though I guess just to "proof of concept"
stage, 'cause the guy I was doing the experiment for was on a short
fuse and ended up buying Netscape server (at $9000, because to act as
a reverse proxy requires an unlimited user license...)
The trick is to use reverse proxy using mod_rewrite and mod_proxy.
Public web server is apache+mod_ssl, private web server (inside
firewall) is apache+mod_ssl. If _all_ SSL traffic is to be proxied,
just put .htaccess in your SSL virtual host DocumentRoot directory
which has a rewrite rule like
RewriteRule (.*) https://privatehost/$1 [P]
(For some reason I've never been able to make proxy rewrite rules work
in httpd.conf, only in .htaccess)
Public server carries the certificate, I don't think it really matters
what you use on the private server, because only the Apache proxy sees
it. There are probably client authentication issues, but if you're
only looking for encryption, that isn't a problem.
Of course, you could just use apache+mod_ssl using the same mechanism
to proxy traffic to an insecure server inside the firewall, especially
if you have a two-level firewall, with the public server behind its
own firewall but isolated from the internal network, but using SSL on
both sides gives you the added security of encrypted traffic on the
short path to the firewall, and protects you from malicious monitoring
by your own employees...
I think this whole mechanism is sufficiently useful it would warrant a
mini-howto.
- Iain mailto:[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
