Reverse Proxy https question
am 27.06.2002 02:49:06 von MichaelThis is a multi-part message in MIME format.
------=_NextPart_000_011C_01C21D39.C46A2FF0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
I am trying to Reverse Proxy HTTPS connections in the following manner:
CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, =
posing as secure-site.com (non-ssl, non-decrypting, just passing the =
https through) -> Sonicwall SSL Accelerator (a stand-alone HW device for =
SSL decryption/encryption, hosting the certificate for secure-site.com, =
decrypting the SSL connection) -> WEBSERVER (non-SSL)
The purpose for this design is to keep the webserver behind a layer of =
switches (for VLANS and ACLS) and Cisco Content Servers (which act as a =
router and load balancer) and keep the Apache proxy server as the "edge =
presence" of the website.=20
What happens with this configuration is:
1) The client browser connects to the Apache proxy
2) The Apache proxy server connects to the SSL accelerator with HTTPS =
sucessfully, as seen in the debug-level Apache log files.=20
3) The browser waits, waits and waits...
4) The Apache proxy sits, sits and sits.=20
5) The Webserver DOES see the non-ssl connection. The information in the =
access log is:
"Client IPAddress - - [25/Jun/2002:17:04:18 -0700] "?L / HTTP/1.0" =
302 0 "
5) Eventually the client browser gives up and times out.
If I install the certificate for secure-site.com on the Apache reverse =
proxy server and enable SSL , then the Apache reverse proxy will connect =
with SSL to both the browser and the downstream webserver. This works, =
but is pointless as it loads the Proxy server's CPU with SSL =
encryption/decryption. That's what we have the SSL accelerators for.
What is missing in my config? Is this setup even possible?
Any comments?
Thanks in advance.
-Michael
--------------
This is the Apache config I am using:
----------
Listen IPAddress:443
LogLevel debug
SSLProxyEngine On
ServerName web-site
ProxyPass / https://secure-site.com
ProxyPassReverse / https://secure-site.com
------------
Server version: Apache/2.0.39
Server built: Jun 25 2002 16:11:49
-----------
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
mod_proxy.c
proxy_connect.c
proxy_ftp.c
proxy_http.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c
------=_NextPart_000_011C_01C21D39.C46A2FF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
charset=3Diso-8859-1">
connections=20
in the following manner:
Apache 2.0=20
Reverse Proxy, posing as secure-site.com (non-ssl, non-decrypting, just =
passing=20
the https through) -> Sonicwall SSL Accelerator (a stand-alone HW =
device=20
for SSL decryption/encryption, hosting the certificate=20
for secure-site.com, decrypting the SSL connection) -> WEBSERVER =
(non-SSL)
of=20
switches (for VLANS and ACLS) and Cisco Content Servers (which act as a =
router=20
and load balancer) and keep the Apache proxy server as the "edge =
presence" of=20
the website.
is:
Apache=20
proxy
the SSL=20
accelerator with HTTPS sucessfully, as seen in the debug-level Apache =
log files.=20
waits...
sits.=20
connection.=20
The information in the access log is:
IPAddress - -=20
[25/Jun/2002:17:04:18 -0700] "=80L / HTTP/1.0" 302 0 "
up and times=20
out.
reverse=20
proxy server and enable SSL , then the Apache reverse proxy will =
connect=20
with SSL to both the browser and the downstream webserver. This works, =
but is=20
pointless as it loads the Proxy server's CPU with SSL =
encryption/decryption.=20
That's what we have the SSL accelerators for.
setup even=20
possible?
using:
IPAddress:443>
=
SSLProxyEngine=20
On
=20
ServerName &nb=
sp; =20
web-site
=20
ProxyPass &nbs=
p; =20
/ href=3D"https://secure-site.com">https://secure-site.com
=
Server =
built: Jun 25 2002 16:11:49
=
core.c
=20
mod_access.c
mod_auth.c
mod_include.c
=20
mod_log_config.c
mod_env.c
mod_setenvif.c
=20
mod_proxy.c
proxy_connect.c
proxy_ftp.c
=20
proxy_http.c
mod_ssl.c
prefork.c
=20
http_core.c
mod_mime.c
mod_status.c
=20
mod_autoindex.c
mod_asis.c
mod_cgi.c
=20
mod_negotiation.c
mod_dir.c
mod_imap.c
=20
mod_actions.c
mod_userdir.c
mod_alias.c
=20
mod_so.c
------=_NextPart_000_011C_01C21D39.C46A2FF0--