This is a multi-part message in MIME format.

------=_NextPart_000_011C_01C21D39.C46A2FF0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

I am trying to Reverse Proxy HTTPS connections in the following manner:

CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy, =
posing as secure-site.com (non-ssl, non-decrypting, just passing the =
https through) -> Sonicwall SSL Accelerator (a stand-alone HW device for =
SSL decryption/encryption, hosting the certificate for secure-site.com, =
decrypting the SSL connection) -> WEBSERVER (non-SSL)

The purpose for this design is to keep the webserver behind a layer of =
switches (for VLANS and ACLS) and Cisco Content Servers (which act as a =
router and load balancer) and keep the Apache proxy server as the "edge =
presence" of the website.

What happens with this configuration is:
1) The client browser connects to the Apache proxy
2) The Apache proxy server connects to the SSL accelerator with HTTPS =
sucessfully, as seen in the debug-level Apache log files.
3) The browser waits, waits and waits...
4) The Apache proxy sits, sits and sits.
5) The Webserver DOES see the non-ssl connection. The information in the =
access log is:
"Client IPAddress - - [25/Jun/2002:17:04:18 -0700] "?L / HTTP/1.0" =
302 0 "
5) Eventually the client browser gives up and times out.

If I install the certificate for secure-site.com on the Apache reverse =
proxy server and enable SSL , then the Apache reverse proxy will connect =
with SSL to both the browser and the downstream webserver. This works, =
but is pointless as it loads the Proxy server's CPU with SSL =
encryption/decryption. That's what we have the SSL accelerators for.


What is missing in my config? Is this setup even possible?
Any comments?

Thanks in advance.

-Michael


--------------


This is the Apache config I am using:
----------
Listen IPAddress:443
LogLevel debug
<VirtualHost IPAddress:443>
SSLProxyEngine On
ServerName web-site
ProxyPass / https://secure-site.com
ProxyPassReverse / https://secure-site.com
</VirtualHost>


------------
Server version: Apache/2.0.39
Server built: Jun 25 2002 16:11:49

-----------
Compiled in modules:
core.c
mod_access.c
mod_auth.c
mod_include.c
mod_log_config.c
mod_env.c
mod_setenvif.c
mod_proxy.c
proxy_connect.c
proxy_ftp.c
proxy_http.c
mod_ssl.c
prefork.c
http_core.c
mod_mime.c
mod_status.c
mod_autoindex.c
mod_asis.c
mod_cgi.c
mod_negotiation.c
mod_dir.c
mod_imap.c
mod_actions.c
mod_userdir.c
mod_alias.c
mod_so.c

------=_NextPart_000_011C_01C21D39.C46A2FF0
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; =
charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2716.2200" name=3DGENERATOR>
<STYLE></STYLE>
</HEAD>
<BODY bgColor=3D#ffffff>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>
<DIV><FONT face=3DArial size=3D2>I am trying to Reverse Proxy HTTPS =
connections
in the following manner:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>CLIENT Browser (<A
href=3D"https://secure-site.com">https://secure-site.com</A>) -> =
Apache 2.0
Reverse Proxy, posing as secure-site.com (non-ssl, non-decrypting, just =
passing
the https through) -> Sonicwall SSL Accelerator (a stand-alone HW =
device
for  SSL decryption/encryption, hosting the certificate
for secure-site.com, decrypting the SSL connection) -> WEBSERVER =

(non-SSL)</FONT></DIV>
<DIV> </DIV>
<DIV>The purpose for this design is to keep the webserver behind a layer =
of
switches (for VLANS and ACLS) and Cisco Content Servers (which act as a =
router
and load balancer) and keep the Apache proxy server as the "edge =
presence" of
the website. </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>What happens with this configuration
is:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>1) The client browser connects to the =
Apache
proxy</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>2) The Apache proxy server connects to =
the SSL
accelerator with HTTPS sucessfully, as seen in the debug-level Apache =
log files.
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>3) The browser waits, waits and
waits...</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>4) The Apache proxy sits, sits and =
sits.
</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>5) The Webserver DOES see the non-ssl =
connection.
The information in the access log is:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>    "Client =
IPAddress - -
[25/Jun/2002:17:04:18 -0700] "=80L / HTTP/1.0" 302 0 "</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>5) Eventually the client browser gives =
up and times
out.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>If I install the certificate for secure-site.com on the Apache =
reverse
proxy server and enable SSL , then the Apache reverse proxy will =
connect
with SSL to both the browser and the downstream webserver. This works, =
but is
pointless as it loads the Proxy server's CPU with SSL =
encryption/decryption.
That's what we have the SSL accelerators for.</DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV><FONT face=3DArial size=3D2>What is missing in my config? Is this =
setup even
possible?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Any comments?</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>Thanks in advance.</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>-Michael</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>--------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV>
<DIV><FONT face=3DArial size=3D2>This is the Apache config I am =
using:</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>----------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Listen IPAddress:443</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>LogLevel debug</FONT></DIV>
<DIV><FONT face=3DArial size=3D2><VirtualHost
IPAddress:443><BR>        =
SSLProxyEngine
On<BR>       
ServerName          &nb=
sp;  
web-site<BR>       
ProxyPass          &nbs=
p;   
/       <A
href=3D"https://secure-site.com">https://secure-site.com</A></FONT></DIV>=

<DIV><FONT face=3DArial =
size=3D2>       
ProxyPassReverse       
/       <A
href=3D"https://secure-site.com">https://secure-site.com</A></FONT></DIV>=

<DIV><FONT face=3DArial size=3D2></VirtualHost></FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>------------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Server version: Apache/2.0.39<BR>Server =

built:   Jun 25 2002 16:11:49</FONT></DIV>
<DIV><FONT face=3DArial size=3D2></FONT> </DIV>
<DIV><FONT face=3DArial size=3D2>-----------</FONT></DIV>
<DIV><FONT face=3DArial size=3D2>Compiled in modules:<BR>  =
core.c<BR> 
mod_access.c<BR>  mod_auth.c<BR>  mod_include.c<BR> 
mod_log_config.c<BR>  mod_env.c<BR>  mod_setenvif.c<BR> 
mod_proxy.c<BR>  proxy_connect.c<BR>  proxy_ftp.c<BR> 
proxy_http.c<BR>  mod_ssl.c<BR>  prefork.c<BR> 
http_core.c<BR>  mod_mime.c<BR>  mod_status.c<BR> 
mod_autoindex.c<BR>  mod_asis.c<BR>  mod_cgi.c<BR> 
mod_negotiation.c<BR>  mod_dir.c<BR>  mod_imap.c<BR> 
mod_actions.c<BR>  mod_userdir.c<BR>  mod_alias.c<BR> 
mod_so.c</FONT></DIV></DIV></FONT></DIV></FONT></DIV></BODY></HTML>

------=_NextPart_000_011C_01C21D39.C46A2FF0--

Michael wrote:

> I am trying to Reverse Proxy HTTPS connections in the following manner:
>
> CLIENT Browser (https://secure-site.com) -> Apache 2.0 Reverse Proxy,
> posing as secure-site.com (non-ssl, non-decrypting, just passing the
> https through) -> Sonicwall SSL Accelerator (a stand-alone HW device
> for SSL decryption/encryption, hosting the certificate
> for secure-site.com, decrypting the SSL connection) -> WEBSERVER (non-SSL)
>
> The purpose for this design is to keep the webserver behind a layer of
> switches (for VLANS and ACLS) and Cisco Content Servers (which act as a
> router and load balancer) and keep the Apache proxy server as the "edge
> presence" of the website.

I don't know very much about SSL accelerators (is this a standalone
server, or hardware acceleration for an existing server of some kind?),
but regardless putting anything between the browser and the SSL
accelerator isn't going to work. The connection between browser and
accelerator is encrypted, so an HTTP proxy of any kind between them
isn't going to serve any purpose.

> If I install the certificate for secure-site.com on the Apache reverse
> proxy server and enable SSL , then the Apache reverse proxy will connect
> with SSL to both the browser and the downstream webserver. This works,
> but is pointless as it loads the Proxy server's CPU with SSL
> encryption/decryption. That's what we have the SSL accelerators for.

> This is the Apache config I am using:
> ----------
> Listen IPAddress:443
> LogLevel debug
> <VirtualHost IPAddress:443>
> SSLProxyEngine On
> ServerName web-site
> ProxyPass / https://secure-site.com
> ProxyPassReverse / https://secure-site.com
> </VirtualHost>

From what it looks like, you have Apache listening on port 443 (the
HTTPS port) without telling it to speak HTTPS, so the connection just hangs.

The second thing you have is that the Apache proxy is now talking SSL to
the backend accelerator - which will increase your server load, not
decrease it, as the content is being encrypted by the accelerator,
decrypted by the proxy, encrypted a second time by the proxy, and given
to the browser.

What you need to do is put the accelerator at the outside, which in turn
talks unencrypted HTTP to Apache, which in turn talks unencrypted HTTP
to the loadbalanced backend. Thus Apache does caching and URL management
, but no encryption.

Regards,
Graham
--
-----------------------------------------
minfrin [at] sharp.fm
"There's a moon
over Bourbon Street
tonight..."