4

I have configured apache reverse proxy. In that configuration https connection is possible between client to reverse proxy and again reverse proxy to server. But I want https connection between client to server like forward proxy. The https connection should not be broken at reverse proxy.

     Https tunnel                   New Https tunnel
   <===============>             <===================>

Client-----------------------Apache Reverse proxy ----------------------------Server

Above solution is not desirable.

                   Https Tunnel
     <========================================>

Client--------------------Apache Reverse proxy --------------------Server

Above solution is desirable.

If end to end https tunnel is not possible in reverse proxy then how can it be ensured that ssl proxying option is safe and even the Reverse proxy administrator(if reverse proxy got compromised) can not decrypt the tunnel or man in middle attack can't be done.

EEAA
  • 108,414
  • 18
  • 172
  • 242
user3245862
  • 41
  • 2

1 Answers1

1

You cannot perform this by using Apache.

You have to forward/relay port 443 directly to the backend server to do this. There are several options for doing this, like DNAT in iptables, socat tool etc.

It also means that you cannot host any other websites on the same server.

Another consequence of this is that the backend server will never see the users' IP addresses, it will only see the IP address of the server doing the forwarding.

Tero Kilkanen
  • 34,499
  • 3
  • 38
  • 58
  • 2
    This is just partially correct. You can use haproxy for this in TCP mode and, by using the SNI extension of SSL you can host any other website, as well as do some other interesting stuff, much more flexible than DNAT or whatever simple port forwarding. – Florin Asăvoaie Jul 14 '14 at 18:20
  • Thanks for writing this, every day brings something new to know :) – Tero Kilkanen Jul 14 '14 at 21:02