Firewall Wizards mailing list archives
RE: Back onto reverse proxies
From: "stuart.flisher" <stuart.flisher () btinternet com>
Date: Thu, 29 Mar 2001 06:24:56 +0100
sniffing of the network to find sensitive data. Hey but the server is a proxy creating two connections decrypting inbound and then re-encrypting in a different session outbound. This means that the data is decrypted somewhere, probably in memory, allowing some clever git to read it.Uh...no. Proxy servers do not and cannot decrypt / re-encrypt SSL traffic.
Sure they can- (a) they can act as the end server, present a valid certificate and then go do an SSL session for outbound
I agree with this. Look at Apache with mod_proxy it does exactly this. It is used for one of the customers that I have come across. The proxy has a cert for the main dns name. The web server has a different cert. The proxy becomes an SSL client to the web server. Maybe I would opt to not to have SSL out the backend for performance reasons.
(I've actually advocated this for some environments- it adds the ability
to do
ActiveX/VBS/Java stripping for instance- and if you own DNS or force proxy usage, it's pretty easy.)
I like that (one I didn't think of). What product will do that?
A possible plus for a proxy that has inbound http/SSL and clear http to the backend is that IDS boxes can read the http traffic looking for attacks[...] That sort of proxy would be an SSL accelerator. It would almost never be
Technically, it's only an SSL accelerator if it does fast crypto- a
config
of mod_rewrite would do the same thing without any accelleration- in fact it'd probably slow things down.
I agree. Accelerators don't proxy (strictly speaking). Accelerators are cards in the server or cards in a switch (BIG-IP F5, Alteon, Hyperflow, (ServerIron's eventually I am told :) ). Regards Stuart _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Back onto reverse proxies stuart.flisher (Mar 27)
- <Possible follow-ups>
- RE: Back onto reverse proxies Ben Nagy (Mar 28)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- RE: Back onto reverse proxies stuart.flisher (Mar 29)
- RE: Back onto reverse proxies Paul D. Robertson (Mar 29)
- Re: Back onto reverse proxies ark (Mar 28)