LinuxQuestions.org
Support LQ: Use code LQ3 and save $3 on Domain Registration
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 01-12-2011, 06:16 PM   #1
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Rep: Reputation: 39
SSL Reverse Proxy? Or what am I after?


Hi All,

So i've been pondering this a little tonight.

I'm looking to basically do something similar to NAT I suppose. I would like https requests to be sent to this server (middle server) and then those requests are actually getting answered by a backend server.

However I don't see a reason I need to decrypt the traffic at the proxy server 'or middle man stage' if you like. And then re-encrypt to send onto the backend server - seems like a bit of a pointless task.

All i'm really looking for is almost some simple routing but in such a way that its looks like to anyone that was actually to try looking that it is the middle server that's answering the requests, even though in reality it isn't.

Can I do such a thing when SSL/TLS https is involved? Or will I need to properly reverse proxy with pound/haproxy/nginx/etc, terminate the incoming SSL and then forward onto the backend after that, again back to being https to the backend as well.

Thats why if its possible to do something which i'd believe to be far simpler maybe even something as crazy as a IPtables NAT or reverse NAT? Is something i'm thinking about for the SSL traffic. So the backend servers and thus IP addresses aren't visible to anything thats looking and for all intense and purpose it looks more like everything is being answered by this middle server?

I feel like in a NAT i'm missing something obvious that won't work but for some reason I can't think what that is right now

Best Regards all and thanks for any suggestions provided.
M
 
Old 01-12-2011, 09:22 PM   #2
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Sounds like you might want a load balancer, I like crossroads but there are plenty to choose from.

Example layout: [internet]----[firewall + NAT]----[load balancer]----[backend servers]

cheers
 
Old 01-13-2011, 06:38 AM   #3
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Hi kbp,

Sort of.. but more of...

Example layout: [user]----[internet]----[firewall]----[load balancer/proxy/NAT]----[firewall]----[internet]----[firewall]----[backend servers]

But the backend servers are already a LoadBalenced pool of servers, so really i'm wanting to simply forward on the request from this "load balancer/proxy/NAT" but in a way that it looks like that is the server that's serving the traffic.. whereas in reality it will not be.

I'm sure this is possible with a reverse proxy load balancer as suggested when talking of 'pound/haproxy/nginx/etc'. But i'm thinking that may not even be required if a reverse proxy works in the way I'm thinking it might in my head right now.
 
Old 01-13-2011, 05:01 PM   #4
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Yes, I think a proxy would be your only option in that case
 
Old 01-18-2011, 07:39 AM   #5
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 518

Original Poster
Rep: Reputation: 39
Hello,

Do you think you can explain exactly why an IPtables reverse NAT woouldn't work?

In my mind it still seems perfectly reasonable. It works out of the box without having to install any piece of software, and i'd have thought, its quite possibly going to require less server resources to run as its simply IPtables rather than having to run an proxy server.

Cheers,
m
 
Old 01-18-2011, 05:01 PM   #6
kbp
Senior Member
 
Registered: Aug 2009
Posts: 3,790

Rep: Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650Reputation: 650
Sorry .. I'm not an iptables guru, it's probably possible but you may not end up with the same functionality as a proxy application.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Apache2 SSL Reverse Proxy doublejoon Linux - Networking 4 08-04-2011 10:29 AM
Apache, reverse proxy, and SSL Phaethar Linux - Software 4 05-27-2010 01:09 PM
SSL reverse proxy sci3ntist Linux - Server 10 12-27-2009 02:12 AM
Squid 2.5 Reverse Proxy with SSL jonfa Linux - Networking 1 04-29-2008 05:17 PM
Squid reverse proxy with SSL jonfa Linux - Networking 1 02-05-2007 08:07 PM


All times are GMT -5. The time now is 06:41 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration