堆栈内存溢出
  简体   繁体   English

如何在不中断客户端与服务器之间的https隧道的情况下配置apache反向代理?

[英]How apache reverse proxy can be configured without breaking the https tunnel between client & server?

 原文  2014-07-13 10:50:02       apache/ ssl/ reverse-proxy/ proxypass/ mod-ssl

问题描述

I have configured apache reverse proxy. 我已经配置了Apache反向代理。 In that configuration https connection is possible between client to reverse proxy and again reverse proxy to server. 在该配置中,客户端之间可以使用https连接来反向代理,然后再次反向代理到服务器。 But I want https connection between client to server like forward proxy. 但是我想要客户端到服务器之间的https连接,如正向代理。 The https connection should not be broken at reverse proxy. 反向代理不应断开https连接。 

     Https tunnel                   New Https tunnel
    <===============>             <===================>

Client-----------------------Apache Reverse proxy ----------------------------Server 客户端----------------------- Apache反向代理----------------------- - - -服务器

Above solution is not desirable. 上述解决方案是不可取的。 

                  Https Tunnel
   <========================================>

Client--------------------Apache Reverse proxy ----------------Server 客户端-------------------- Apache反向代理----------------服务器

Above solution is desirable. 上述解决方案是可取的。

If end to end https tunnel is not possible in reverse proxy then how can it be ensured that ssl proxying option is safe and even the Reverse proxy administrator(if reverse proxy got compromised) can not decrypt the tunnel or man in middle attack can't be done. 如果在反向代理中不可能使用端到端https隧道,那么如何确保ssl代理选项是安全的,甚至反向代理管理员(如果反向代理受到威胁)也无法解密隧道,或者处于中间攻击的人无法完成。

1 个解决方案

解决方案1
 0 已采纳  2014-11-07 09:10:29

You can't. 你不能 Because HTTPS by design guarantees that the sender is talking to the receiver via certificates. 因为HTTPS通过设计保证了发送方正在通过证书与接收方进行通信。 Your proxy here would be "the man in the middle" :-) 您的代理人将是“中间人” :-)

See http://en.wikipedia.org/wiki/Reverse_proxy 参见http://en.wikipedia.org/wiki/Reverse_proxy

In the case of secure websites, a web server may not perform SSL encryption itself, but instead offloads the task to a reverse proxy that may be equipped with SSL acceleration hardware. 对于安全网站,Web服务器本身可能不会执行SSL加密,而是将任务卸载到可能配备SSL加速硬件的反向代理。 (See SSL termination proxy.) (请参阅SSL终止代理。)

What you can do 你可以做什么 

Client------Apache Reverse proxy----SC--------------SS---------Server
            HTTPS                           SSL           HTTP        
            (listen to 443)

Where SC = Stunnel Client and SS = Stunnel Server 其中SC = Stunnel客户端,SS = Stunnel服务器

SC must run in the same machine as your apache reverse proxy, while SS must run in your server target. SC必须与apache反向代理在同一台计算机上运行,​​而SS必须在服务器目标中运行。

暂无
暂无

声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.

相关问题 Apache反向代理到https服务器 - Apache reverse proxy to https server 如何在 apache 反向代理服务器上强制将 http 重定向到 https? - How to force redirect http to https on a apache reverse proxy server? 具有SNI的Apache HTTPS反向代理,代理上没有密钥 - Apache HTTPS reverse proxy with SNI without key on the proxy 使用 Tomcat 的 Apache https 反向代理 - Apache https reverse proxy with Tomcat Apache反向代理https到http - Apache Reverse Proxy https to http Apache HTTPS 反向代理到 HTTP - Apache HTTPS reverse proxy to HTTP Apache 反向代理 HTTPS 到 HTTP - Apache reverse proxy for HTTPS to HTTP 无法同时使用Apache强制执行“ https”和反向代理 - Can't force 'https' and reverse proxy with Apache at the same time 可以将Tomcat配置为Apache的代理吗? - Can Tomcat be configured as the proxy for apache? 带和不带 SSL 的 Apache 反向代理之间行为不同的原因 - Reasons for differing behavior between Apache reverse proxy with and without SSL
相关标签
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM