RE: ssl & proxy .. again

Airey, John Sun, 23 Jan 2000 03:31:00 -0800
I use the following virtual host configuration to connect certain users over
the Internet (real names of systems and IPs have been changed)


# Proxy to security (security measure)
        <VirtualHost security:443>
        ServerAdmin [EMAIL PROTECTED]
        ServerName security.rnib.org.uk
        SSL Stuff here ...
        Auth Stuff here ...
        ErrorLog /var/log/httpd/security-error_log
        TransferLog /var/log/httpd/security-access_log
        ProxyPass / http://real-security/ 

This takes a secure connection to the virtual host "security", and proxies
all requests to the host "real-security" via http. In this case, the proxy
is on the internal network and passwords are encrypted over the 'net. (I've
missed out the SSL and Auth bits). In fact, the proxied host "real-security"
cannot be contacted directly. The logging is useful for checking that it
works.

I believe this is the best you can do, unless another program can "proxy"
https. Whereas http is effectively plain text (purists will obviously point
out that iso-8859-1 isn't exactly plain text, but I know that!), https is
encrypted end to end. To pass data from one https connection to another
would make the security next to useless.
 
(Actually I'd like to authenticate users via TACACS+, but that's another
question altogether).

John

-----Original Message-----
From: [EMAIL PROTECTED]
To: [EMAIL PROTECTED]
Sent: 19/01/00 16:57
Subject: ssl & proxy .. again

Hi there,

in the mail archive I found a discussion about using a https connection
from browser to proxy, regardless of the request type. ( browser  <- ssl
-> proxy <- whatever -> server).

Actually, I am trying to set this up myself, without success so far, and
would like to ask, if it can be done somehow.

The reason for doing this is, that I want my users to authenticate
against apache through some module ( mod_auth_nds, actually, but it
could be any auth module ) and by their authentication / authorization
define, how ca use which Internet resources.
I do not want their NDS password going over the net in plain text,
though.

Does anybody know, if / how this can be accomplished?

regards,

Andreas 


[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl)                   www.modssl.org
User Support Mailing List                      [EMAIL PROTECTED]
Automated List Manager                            [EMAIL PROTECTED]
RE: ssl & proxy .. again

Reply via email to
