What you are describing is almost exactly a system that we have here, and
have had for some time. However, I think turning SSL off won't help you, and
probably is the root of your problem. Basically what the ProxyPass and
ProxyPassReverse does is set up is a secure connection through your
firewall. You'll want a secure connection to your "outside" machine from the
client, making two simultaneous SSL connections. What actually happens is
that the web server accepts the data, but then passes it on. It is worth
ensuring that any ScriptAlias directories are turned off on your outside
machine, otherwise these are processed, rather than passed on.
This setup gives some interesting results. Netcraft says this for example:
"The site info.rnib.org.uk is running Microsoft-IIS/4.0 on Linux."
Look at it this way. If the outside machine is compromised, and SSL data
coming to it is then passed on insecurely (ie non-ssl), then that data can
be compromised regardless of the presence of your firewall.
There is of course a performance hit involved in doing it this way, but if
you can get an SSL acceleration card or two it should help. Multi-processor
machines are another option.
Someone is bound to point out that data is held in memory at some point on
the outside machine and could be grabbed by a memory debugger or a core
dump. However, this is slightly harder than merely sniffing the packets
flowing in and out. The latter gives you all the data, anytime!
-
John Airey
Internet Systems Support Officer, ITCSD, Royal National Institute for the
Blind,
Bakewell Road, Peterborough PE2 6XU,
Tel.: +44 (0) 1733 375299 Fax: +44 (0) 1733 370848 [EMAIL PROTECTED]
> -----Original Message-----
> From: Torsten Curdt [mailto:[EMAIL PROTECTED]]
> Sent: 04 March 2001 20:00
> To: [EMAIL PROTECTED]
> Subject: reverse proxy
>
>
> I'm not quite sure if this is OT but...
>
> This works quite well:
>
> <VirtualHost ...:80>
> ProxyPass / http://machine.dff.local:8100/
> ProxyPassReverse / http://machine.dff.local:8100/
> <Directory proxy:*>
> Order deny,allow
> Allow from all
> </Directory>
> </VitrualHost>
>
> This is how way we have our apache webserver in
> the perimeter net and just allow specific reverse
> proxy connection from the perimeter net into our
> intranet.
>
> internet
> |
> [firewall]--[apache reverse proxy]
> | /
> | /
> [machine]
>
> I now want all perimeter <-> intranet communication
> to be encrypted. Therefor I want apache to just pass
> the SSL communication back and forth:
>
> <VirtualHost ...:443> <---- SSL port but no cert and SSLEngine off
> ProxyPass / https://machine.dff.local/
> ProxyPassReverse / https://machine.dff.local/
> <Directory proxy:*>
> Order deny,allow
> Allow from all
> </Directory>
> </VitrualHost>
>
> But this seems not to work...
> Can this work at all?
> (I wonder if a "ProxyPassReverse" can work on encrypted connections?)
>
> I just read in the news something about enhanced mod_ssl
> support for mod_proxy.
>
> So forgive me if this was something different... ;)
> --
> Torsten
> ______________________________________________________________________
> Apache Interface to OpenSSL (mod_ssl) www.modssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
