> What you are describing is almost exactly a system that we have here, and
> have had for some time.
So good to here it works :)
> However, I think turning SSL off won't help you, and
> probably is the root of your problem. Basically what the ProxyPass and
> ProxyPassReverse does is set up is a secure connection through your
> firewall. You'll want a secure connection to your "outside" machine from the
> client, making two simultaneous SSL connections. What actually happens is
> that the web server accepts the data, but then passes it on. It is worth
> ensuring that any ScriptAlias directories are turned off on your outside
> machine, otherwise these are processed, rather than passed on.
I was told I need to compile mod_ssl with the EXPERIMENTAL code
to make this work and have 2 certs. One for the pass thru webserver
and one for the one in the intranet.
> Look at it this way. If the outside machine is compromised, and SSL data
> coming to it is then passed on insecurely (ie non-ssl), then that data can
> be compromised regardless of the presence of your firewall.
>
> There is of course a performance hit involved in doing it this way, but if
> you can get an SSL acceleration card or two it should help. Multi-processor
> machines are another option.
>
> Someone is bound to point out that data is held in memory at some point on
> the outside machine and could be grabbed by a memory debugger or a core
> dump. However, this is slightly harder than merely sniffing the packets
> flowing in and out. The latter gives you all the data, anytime!
So... what are you trying to say?
This slightly improved security is not worth the setup hassle?
So why do YOU run it this way? ;)
--
Torsten
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
