Apache2: Is Proxy from https to http secure

Question

Im pretty new at all this server stuff, and I have a question regarding the security of the apache proxy.

What I am doing is: I have a websocket server running in non secure mode on port 11221 on the same system (localhost only, but with apache, it's a different application).

In my apache, I created a configuration with a proxy to that server:

ServerName websocket.example.com

SSLCertificateFile /path/to/fullchain.pem
SSLCertificateKeyFile /path/to/privkey.pem

ProxyPass / ws://localhost:11221/
ProxyPassReverse / ws://localhost:11221/

This combination works flawlessly, I can connect using a secure websocket connection to the server (using wss://websocket.example.com). And I checked that I can't connect directly to it. ws://websocket.example.com:11221 will fail with a connection refused (as expected).

My question now is: Is this secure?. I.e. does the connection stay encrypted even after chaning to the websocket protocol? As far as I understood from my research, it does stay encrypted, but I couldn't find a definite answere.

Answer 1

The SSL layer is only applied to the connection from client to apache, obviously; that's why you have configured apache after all, isn't it? (Also called "SSL offloading". I usually use pound or haproxy for that, much simpler / smaller than apache if this is all you're using apache for.)

The communication between apache and whatever is listening to port 11221 is necessarily unencrypted; otherwise you would need to install the SLL certificate into the websocket application as well (and also use https:// and not ws://).

That said, if you can't one process to transfer data to another process on the same system (after all you're using localhost to communicate), then you have bigger problems. Theoretically someone with the appropriate privileges on the local system can eavesdrop on the communication, but that person could also simply use strace on the processe involved to obtain the data.