Reverse Proxy https question

Reverse Proxy https question

am 27.06.2002 02:49:06 von Michael

This is a multi-part message in MIME format.

------=_NextPart_000_011C_01C21D39.C46A2FF0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I am trying to Reverse Proxy HTTPS connections in the following manner:

CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, =
posing as secure-site.com (non-ssl, non-decrypting, just passing the =
https through) -> Sonicwall SSL Accelerator (a stand-alone HW device for =
SSL decryption/encryption, hosting the certificate for secure-site.com, =
decrypting the SSL connection) -> WEBSERVER (non-SSL)

The purpose for this design is to keep the webserver behind a layer of =
switches (for VLANS and ACLS) and Cisco Content Servers (which act as a =
router and load balancer) and keep the Apache proxy server as the "edge =
presence" of the website.=20

What happens with this configuration is:
1) The client browser connects to the Apache proxy
2) The Apache proxy server connects to the SSL accelerator with HTTPS =
sucessfully, as seen in the debug-level Apache log files.=20
3) The browser waits, waits and waits...
4) The Apache proxy sits, sits and sits.=20
5) The Webserver DOES see the non-ssl connection. The information in the =
access log is:
"Client IPAddress - - [25/Jun/2002:17:04:18 -0700] "?L / HTTP/1.0" =
302 0 "
5) Eventually the client browser gives up and times out.

If I install the certificate for secure-site.com on the Apache reverse =
proxy server and enable SSL , then the Apache reverse proxy will connect =
with SSL to both the browser and the downstream webserver. This works, =
but is pointless as it loads the Proxy server's CPU with SSL =
encryption/decryption. That's what we have the SSL accelerators for.


What is missing in my config? Is this setup even possible?
Any comments?

Thanks in advance.

-Michael


--------------


This is the Apache config I am using:
----------
Listen IPAddress:443
LogLevel debug

SSLProxyEngine On
ServerName web-site
ProxyPass / https://secure-site.com
ProxyPassReverse / https://secure-site.com



------------
Server version: Apache/2.0.39
Server built: Jun 25 2002 16:11:49

-----------
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
mod_proxy.c
proxy_connect.c
proxy_ftp.c
proxy_http.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c

------=_NextPart_000_011C_01C21D39.C46A2FF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable



charset=3Diso-8859-1">






I am trying to Reverse Proxy HTTPS =
connections=20
in the following manner:

 

CLIENT Browser ( href=3D"https://secure-site.com">https://secure-site.com) -> =
Apache 2.0=20
Reverse Proxy, posing as secure-site.com (non-ssl, non-decrypting, just =
passing=20
the https through) -> Sonicwall SSL Accelerator (a stand-alone HW =
device=20
for  SSL decryption/encryption, hosting the certificate=20
for secure-site.com, decrypting the SSL connection) -> WEBSERVER =

(non-SSL)

 

The purpose for this design is to keep the webserver behind a layer =
of=20
switches (for VLANS and ACLS) and Cisco Content Servers (which act as a =
router=20
and load balancer) and keep the Apache proxy server as the "edge =
presence" of=20
the website.

 

What happens with this configuration=20
is:

1) The client browser connects to the =
Apache=20
proxy

2) The Apache proxy server connects to =
the SSL=20
accelerator with HTTPS sucessfully, as seen in the debug-level Apache =
log files.=20

3) The browser waits, waits and=20
waits...

4) The Apache proxy sits, sits and =
sits.=20

5) The Webserver DOES see the non-ssl =
connection.=20
The information in the access log is:

    "Client =
IPAddress - -=20
[25/Jun/2002:17:04:18 -0700] "=80L / HTTP/1.0" 302 0 "

5) Eventually the client browser gives =
up and times=20
out.

 

If I install the certificate for secure-site.com on the Apache =
reverse=20
proxy server and enable SSL , then the Apache reverse proxy will =
connect=20
with SSL to both the browser and the downstream webserver. This works, =
but is=20
pointless as it loads the Proxy server's CPU with SSL =
encryption/decryption.=20
That's what we have the SSL accelerators for.

 

 

What is missing in my config? Is this =
setup even=20
possible?

Any comments?

 

Thanks in advance.

 

-Michael

 

 

--------------

 

 


This is the Apache config I am =
using:

----------

Listen IPAddress:443

LogLevel debug

<VirtualHost=20
IPAddress:443>
        =
SSLProxyEngine=20
On
       =20
ServerName          &nb=
sp;  =20
web-site
       =20
ProxyPass          &nbs=
p;   =20
/       href=3D"https://secure-site.com">https://secure-site.com
=

size=3D2>       =20
ProxyPassReverse       =20
/       href=3D"https://secure-site.com">https://secure-site.com
=

</VirtualHost>

 

 

------------

Server version: Apache/2.0.39
Server =

built:   Jun 25 2002 16:11:49

 

-----------

Compiled in modules:
  =
core.c
 =20
mod_access.c
  mod_auth.c
  mod_include.c
 =20
mod_log_config.c
  mod_env.c
  mod_setenvif.c
 =20
mod_proxy.c
  proxy_connect.c
  proxy_ftp.c
 =20
proxy_http.c
  mod_ssl.c
  prefork.c
 =20
http_core.c
  mod_mime.c
  mod_status.c
 =20
mod_autoindex.c
  mod_asis.c
  mod_cgi.c
 =20
mod_negotiation.c
  mod_dir.c
  mod_imap.c
 =20
mod_actions.c
  mod_userdir.c
  mod_alias.c
 =20
mod_so.c


------=_NextPart_000_011C_01C21D39.C46A2FF0--

Re: Reverse Proxy https question

am 27.06.2002 10:49:01 von Graham Leggett

Michael wrote:

> I am trying to Reverse Proxy HTTPS connections in the following manner:
>
> CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy,
> posing as secure-site.com (non-ssl, non-decrypting, just passing the
> https through) -> Sonicwall SSL Accelerator (a stand-alone HW device
> for SSL decryption/encryption, hosting the certificate
> for secure-site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)
>
> The purpose for this design is to keep the webserver behind a layer of
> switches (for VLANS and ACLS) and Cisco Content Servers (which act as a
> router and load balancer) and keep the Apache proxy server as the "edge
> presence" of the website.

I don't know very much about SSL accelerators (is this a standalone
server, or hardware acceleration for an existing server of some kind?),
but regardless putting anything between the browser and the SSL
accelerator isn't going to work. The connection between browser and
accelerator is encrypted, so an HTTP proxy of any kind between them
isn't going to serve any purpose.

> If I install the certificate for secure-site.com on the Apache reverse
> proxy server and enable SSL , then the Apache reverse proxy will connect
> with SSL to both the browser and the downstream webserver. This works,
> but is pointless as it loads the Proxy server's CPU with SSL
> encryption/decryption. That's what we have the SSL accelerators for.

> This is the Apache config I am using:
> ----------
> Listen IPAddress:443
> LogLevel debug
>
> SSLProxyEngine On
> ServerName web-site
> ProxyPass / https://secure-site.com
> ProxyPassReverse / https://secure-site.com
>


From what it looks like, you have Apache listening on port 443 (the
HTTPS port) without telling it to speak HTTPS, so the connection just hangs.

The second thing you have is that the Apache proxy is now talking SSL to
the backend accelerator - which will increase your server load, not
decrease it, as the content is being encrypted by the accelerator,
decrypted by the proxy, encrypted a second time by the proxy, and given
to the browser.

What you need to do is put the accelerator at the outside, which in turn
talks unencrypted HTTP to Apache, which in turn talks unencrypted HTTP
to the loadbalanced backend. Thus Apache does caching and URL management
, but no encryption.

Regards,
Graham
--
-----------------------------------------
minfrin@sharp.fm
"There's a moon
over Bourbon Street
tonight..."