LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (https://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   SSL Reverse Proxy? Or what am I after? (https://www.linuxquestions.org/questions/linux-newbie-8/ssl-reverse-proxy-or-what-am-i-after-855948/)

helptonewbie 01-12-2011 05:16 PM
SSL Reverse Proxy? Or what am I after?
 
Hi All,

So i've been pondering this a little tonight.

I'm looking to basically do something similar to NAT I suppose. I would like https requests to be sent to this server (middle server) and then those requests are actually getting answered by a backend server.

However I don't see a reason I need to decrypt the traffic at the proxy server 'or middle man stage' if you like. And then re-encrypt to send onto the backend server - seems like a bit of a pointless task.

All i'm really looking for is almost some simple routing but in such a way that its looks like to anyone that was actually to try looking that it is the middle server that's answering the requests, even though in reality it isn't.

Can I do such a thing when SSL/TLS https is involved? Or will I need to properly reverse proxy with pound/haproxy/nginx/etc, terminate the incoming SSL and then forward onto the backend after that, again back to being https to the backend as well.

Thats why if its possible to do something which i'd believe to be far simpler maybe even something as crazy as a IPtables NAT or reverse NAT? Is something i'm thinking about for the SSL traffic. So the backend servers and thus IP addresses aren't visible to anything thats looking and for all intense and purpose it looks more like everything is being answered by this middle server?

I feel like in a NAT i'm missing something obvious that won't work but for some reason I can't think what that is right now

Best Regards all and thanks for any suggestions provided.
M

kbp 01-12-2011 08:22 PM
Sounds like you might want a load balancer, I like crossroads but there are plenty to choose from.

Example layout: [internet]----[firewall + NAT]----[load balancer]----[backend servers]

cheers

helptonewbie 01-13-2011 05:38 AM
Hi kbp,

Sort of.. but more of...

Example layout: [user]----[internet]----[firewall]----[load balancer/proxy/NAT]----[firewall]----[internet]----[firewall]----[backend servers]

But the backend servers are already a LoadBalenced pool of servers, so really i'm wanting to simply forward on the request from this "load balancer/proxy/NAT" but in a way that it looks like that is the server that's serving the traffic.. whereas in reality it will not be.

I'm sure this is possible with a reverse proxy load balancer as suggested when talking of 'pound/haproxy/nginx/etc'. But i'm thinking that may not even be required if a reverse proxy works in the way I'm thinking it might in my head right now.

kbp 01-13-2011 04:01 PM
Yes, I think a proxy would be your only option in that case

helptonewbie 01-18-2011 06:39 AM
Hello,

Do you think you can explain exactly why an IPtables reverse NAT woouldn't work?

In my mind it still seems perfectly reasonable. It works out of the box without having to install any piece of software, and i'd have thought, its quite possibly going to require less server resources to run as its simply IPtables rather than having to run an proxy server.

Cheers,
m

kbp 01-18-2011 04:01 PM
Sorry .. I'm not an iptables guru, it's probably possible but you may not end up with the same functionality as a proxy application.


All times are GMT -5. The time now is 08:31 PM.