SSL Reverse Proxy

I'm looking for some clarification on how to setup a reverse proxy
that supports SSL/TLS. My understanding is as follows (please correct
me if I'm wrong):
1. Client connects with SSL, mod_ssl handles this
2. mod_proxy handles generating a proxy-request to the configured origin server
3. SSLProxyEngine should be set to on so that SSL is used to
communicate securely with the origin server.

What if any of the original client's SSL information is then available
to the origin server? For instance, can clients still present
certificates to authenticate with the origin server, or will that need
to be handled by the reverse proxy? If this authentication is handled
by the proxy, can the information from the client certificate be made
available to the origin server? Will the proxy try to use the same SSL
parameters (protocol version, ciphersuite, etc) as the client did, or
will this information otherwise be made available to the origin
server? Ideally, I'd like the proxy to be transparent to both the
origin server and the client.

Additionally, my origin server and reverse proxy are actually on the
same machine, so I'm not especially concerned about securing
communications between them, except that I would like all of the
SSL-relevant information to be available to the origin server. Is
there a way to do this without using secure communications between the
proxy and origin server? My primary reason for not wanting to use
secure connections here is to improve speed and avoid the increased
drain on my entropy pool. Are these realistic concerns, or would the
effect be negligible?

Any help would be greatly appreciated.

Thanks,
-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

RE: SSL Reverse Proxy

> -----Message d'origine-----
> De=A0: mearns.b@gmail.com [mailto:mearns.b@gmail.com] De la part de Brian
> Mearns
> Envoyé : mardi 26 janvier 2010 21:28
> À : users@httpd.apache.org
> Objet=A0: [users@httpd] SSL Reverse Proxy
>=20
> I'm looking for some clarification on how to setup a reverse proxy
> that supports SSL/TLS. My understanding is as follows (please correct
> me if I'm wrong):
> 1. Client connects with SSL, mod_ssl handles this
> 2. mod_proxy handles generating a proxy-request to the configured origin
> server
> 3. SSLProxyEngine should be set to on so that SSL is used to
> communicate securely with the origin server.
>=20
> What if any of the original client's SSL information is then available
> to the origin server? For instance, can clients still present
> certificates to authenticate with the origin server, or will that need
> to be handled by the reverse proxy? If this authentication is handled
> by the proxy, can the information from the client certificate be made
> available to the origin server? Will the proxy try to use the same SSL
> parameters (protocol version, ciphersuite, etc) as the client did, or
> will this information otherwise be made available to the origin
> server? Ideally, I'd like the proxy to be transparent to both the
> origin server and the client.
>=20
> Additionally, my origin server and reverse proxy are actually on the
> same machine, so I'm not especially concerned about securing
> communications between them, except that I would like all of the
> SSL-relevant information to be available to the origin server. Is
> there a way to do this without using secure communications between the
> proxy and origin server? My primary reason for not wanting to use
> secure connections here is to improve speed and avoid the increased
> drain on my entropy pool. Are these realistic concerns, or would the
> effect be negligible?
>=20
> Any help would be greatly appreciated.
>=20
> Thanks,
> -Brian
>=20

Hi Brian,

I think your description in the first part of you mail is correct. I you us=
e a reverse proxy in front of your origin, you have to leave it manage the =
authentication part and as there will be two distinct connections, SSL para=
meters from the client-to-proxy connection won't be necessarily the same as=
the proxy-to-origin ones, unless you configure them such as they match.
I guess in order to be able to reach the origin server directly from your c=
lient "through" the frontend, you would rather use some sort of "port-forwa=
rder" which in this case would not deal at all with SSL.
Last, regarding your idea of "forwarding" some interesting variables from t=
he frontend to the origin server, I think this could be achieved through th=
e use of something like mod_perl, but also in a more straight way by using =
environment variables and headers (via mod_headers). I kept this idea in mi=
nd after reading an article on this ML :
http://mail-archives.apache.org/mod_mbox/httpd-users/200911. mbox/%3CPine.LN=
X.4.64.0911261559410.28410@haroon.sis.utoronto.ca%3E

The idea was to use the available SSL environment variables (http://httpd.a=
pache.org/docs/2.2/mod/mod_ssl.html#envvars) to set headers with 'RequestHe=
ader set' in the reverse proxy and send them with the backend connection to=
the origin server, which could then grab all the info it needs. A question=
remains regarding the origin server and if it uses php or something in ord=
er to process these headers.

I have not (yet) tried this setup though I think I will soon.

Hope this helps.

Emmanuel

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL Reverse Proxy

On 26.01.10 15:28, Brian Mearns wrote:
> I'm looking for some clarification on how to setup a reverse proxy
> that supports SSL/TLS. My understanding is as follows (please correct
> me if I'm wrong):
> 1. Client connects with SSL, mod_ssl handles this
> 2. mod_proxy handles generating a proxy-request to the configured origin server
> 3. SSLProxyEngine should be set to on so that SSL is used to
> communicate securely with the origin server.

why to have SSL proxy in this case?

> What if any of the original client's SSL information is then available
> to the origin server? For instance, can clients still present
> certificates to authenticate with the origin server, or will that need
> to be handled by the reverse proxy? If this authentication is handled
> by the proxy, can the information from the client certificate be made
> available to the origin server?

you can only pass such infromations in request variables and the destination
server will hav to trust the proxy. The proxy can not sign the data with
clients certificate - it would need the clients private key.

> Will the proxy try to use the same SSL parameters (protocol version,
> ciphersuite, etc) as the client did, or will this information otherwise be
> made available to the origin server?

no. it will do complete different ssl negotiation.

> Ideally, I'd like the proxy to be transparent to both the
> origin server and the client.

why do you want the proxy at all in this case?

--
Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: SSL Reverse Proxy

On Thu, Jan 28, 2010 at 5:34 AM, Matus UHLAR - fantomas
wrote:
> On 26.01.10 15:28, Brian Mearns wrote:
>> I'm looking for some clarification on how to setup a reverse proxy
>> that supports SSL/TLS. My understanding is as follows (please correct
>> me if I'm wrong):
>> 1. Client connects with SSL, mod_ssl handles this
>> 2. mod_proxy handles generating a proxy-request to the configured origin server
>> 3. SSLProxyEngine should be set to on so that SSL is used to
>> communicate securely with the origin server.
>
> why to have SSL proxy in this case?
>
>> What if any of the original client's SSL information is then available
>> to the origin server? For instance, can clients still present
>> certificates to authenticate with the origin server, or will that need
>> to be handled by the reverse proxy? If this authentication is handled
>> by the proxy, can the information from the client certificate be made
>> available to the origin server?
>
> you can only pass such infromations in request variables and the destination
> server will hav to trust the proxy. The proxy can not sign the data with
> clients certificate - it would need the clients private key.
>
>> Will the proxy try to use the same SSL parameters (protocol version,
>> ciphersuite, etc) as the client did, or will this information otherwise be
>> made available to the origin server?
>
> no. it will do complete different ssl negotiation.
>
>> Ideally, I'd like the proxy to be transparent to both the
>> origin server and the client.
>
> why do you want the proxy at all in this case?
>
> --
> Matus UHLAR - fantomas, uhlar@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Micro$oft random number generator: 0, 0, 0, 4.33e+67, 0, 0, 0...
[snip]

Thank you both for the helpful responses.

To answer some of your questions:
I want a proxy because I have multiple servers running and I want them
accessible through the same address. So I just put the proxy at that
address and let it figure out which server to use based on the Host
header and SNI. I want it to support SSL connections from the client
because I want to support SSL connections from clients for all the
various reason a person might want to do that, notably privacy. I
don't care if it actually speaks SSL to the origin servers, but I
didn't know if that would make it more transparent, e.g., if there was
a way that the same parameters would be used or something.

It sounds like I can't get at the client SSL information /and/
maintain transparency for the backend servers, which is what I kind of
figured, I guess. I'm already using a module to set the REMOTE_ADDR
based on the X-Forward-For header, so I might try something similar to
forward relevant SSL information from the proxy to the origin servers
in HTTP X-headers, and then see if I can figure out how to set the
SSL_* env vars from those. At least then it's transparent to the
applications on the backend servers, even if it's not quite
transparent to the server itself.

Thanks.
-Brian

--
Feel free to contact me using PGP Encryption:
Key Id: 0x3AA70848
Available from: http://keys.gnupg.net

------------------------------------------------------------ ---------
The official User-To-User support forum of the Apache HTTP Server Project.
See for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org