top button
Flag Notify
    Connect to us
      Site Registration

Site Registration

reverse proxy: connect to origin servers via http or https?

+6 votes
526 views

I have a reverse proxy (apache 2.2) with mod_proxy_balancer with https visible to the outside world.

The question is: from the proxy performance/scalability point of view is it better to configure backends (origin servers) with http or with https?

Is it true that if proxy is setup https->http then it only has to decrypt/encrypt the headers and the body is encrypted/decrypted on the backend? I do not use mod_proxy_html (but maybe there are other modules which affect this behaviour on the proxy?.

How either setup affects latency of handling requests? With https->https do I have to do two handshakes (on the proxy and on the backend) for every connection? I have KeepAlive both on the proxy and the backends.

posted Feb 7, 2014 by Dewang Chaudhary

Share this question
Facebook Share Button Twitter Share Button LinkedIn Share Button

1 Answer

+1 vote
 
Best answer

The question is: from the proxy performance/scalability point of view is it better to configure backends (origin servers) with http or with https?
"Better" depends on what you want to achieve. Do you want to securely deliver simple html content with no fancy stuff ? Do you want to have authentication internally ? If so, do you care if your users can see other users authentication data (if they are knowledgeable on how to do it) ?

Is it true that if proxy is setup https->http then it only has to decrypt/encrypt the headers and the body is encrypted/decrypted on the backend? I do not use mod_proxy_html (but maybe there are other modules which affect this behaviour on the proxy?.
no. If you configure your frontend with https and your backends with http, then you just told apache to NOT use SSL between mod_proxy and the backend servers. Only your frontends will do SSL handshakes in this setup. Thats pretty much SSL Offloading, maybe you got that confused ?

How either setup affects latency of handling requests? With https->https do I have to do two handshakes (on the proxy and on the backend) for every connection? I have KeepAlive both on the proxy and the backends.
Involving SSL as opposed to not involving SSL will always slow things down. How much ? Depends on your settings, on your hardware (SSL accelerators), etc. Are you going to deal with large amounts of users ? If so you might want to consider using SSL only for some parts of your page(s).

It all boils down to writing down your requirements. First you should get a hold on what you actually want, then worry about how to do it. Secondly, seeing how easy it is to set up basic configurations using the docs you should start there and dig into specific issues later.

answer Feb 7, 2014 by Satish Mishra
Similar Questions
+1 vote

1) I'd have a question on how to set up a reverse proxy to a http 1.0 in the cleanest most standard conforming way.

AFAIU, strict HTTP 1.0 has neither persistent connections / keep-alives
- a connection ends after a single request has been responded. Neither does it have Host: headers.

a) Do I need to tell the reverse-proxy about this? Do I have to set:
- ProxyPass' disablereuse=on and/or
- force-proxy-request-1.0 and/or
- proxy-nokeepalive and/or
- proxy-sendcl

Or is one of them enough? E.g. when I set force-proxy-request-1.0... all the others are implicitly set?

b) Do I need to set proxy-initial-not-pooled?
Cause I get the error mentioned there,... interestingly that seems to be independent of the backend/origin server... and dependent on the client.

c) So, strictly speaking, I could not use name-based vhosting, right?

2) Further, when a client talks to the reverse proxy in HTTP 1.0 it should get the reply in 1.0 either. And when it talk to it in 1.1, it should get it in 1.1.

Would Apache do this automatically, or would it answer a 1.0 request with a 1.1 response?
So do I have to set: force-response-1.0 ?

3) The origin server to which I connect is single threaded, i.e. it will only process one request at a time. So Apache shouldn't connect more than once concurrently, as it would simply block. How do I get this? The keep-alive options above probably don't help here... Is the solution to set ProxyPass' max=1 ?

+1 vote

I have an idea how to setup Apache for doing load balancer based on mod_proxy and mod_balance modules. But in my case the backend server requires ssl client certificate authentication and therefore the Apache Server cannot terminate the ssl connection.

I do no need http session cookie stickyness. The application is stateless. Can I somehow configure Apache as a transparent balancer?

Or I should use even another software - squid, iptables? The backend application is a web service running on Tomcat.

+2 votes

Does Apache in reverse proxy mode cache the complete response from the backend before forwarding it the client, or does it send the data to the client as it receives it? In other words, if the backend server only produced and transmitted a response, how would apache proxy server react?

0 votes

After looking this over I've located the issue but haven't determined how to best implement the resolution.

The problem is that when folks access HTTP (via httpd-vhosts.conf) the configuration Rewrites the URL as https://www.yippyskippy.com/ClusterTester$1

When end-users bypass the HTTP configuration and go directly to HTTPS the httpd-ssl.conf file has been configured to expect that the Rewrite has already occurred and that the /ClusterTester$1 suffix already exists.

Because the original httpd-vhosts.conf Rewrite command is bypassed, the httpd-ssl.conf configuration tries to proxypass the incorrect URL string to the back-end Glassfish server resulting in the original error.

Now I'm trying to determine how/where to best place the Rewrite command (I'm assuming within the httpd-ssl.conf virtual hosts section) while still maintaining the redirect from HTTP to HTTPS.

+5 votes

WE are trying to setup HTTPS tunnelling to a backend server through Apache proxy but we are finding the client connect but Apache does not send through the traffic the backend server.

Config we have on our Apache proxy virtual host is

DocumentRoot "/usr/local/apache/htdocs/ibcm/" 
ServerName test.testdom.local 
ErrorLog logs/ibcm 
ServerAdmin webmaster@testdom.local 
ProxyRequests On 
AllowConnect 443 
SSLEngine on 
SSLHonorCipherOrder On 
SSLProtocol -ALL SSLv3 TLSv1 
SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:RC4RSA:HIGH:MEDIUM 
SSLCertificateFile "/etc/ssl/crt/ibcm.crt" 
SSLCertificateKeyFile "/etc/ssl/crt/testdom.key" 
SSLCertificateChainFile "/etc/ssl/crt/CA-DOM.crt" 
 Order deny,allow 
 Deny from all 
 Order deny,allow 
 Allow from all 

Anybody know what we are not doing correctly. Also we found Apache would not start without us putting in the root certificate. Thought it would not need any certificate for tunnelling so wonder if we have missed something.

...