Welcome to WebmasterWorld Guest from 34.204.173.36

Forum Moderators: phranque

Message Too Old, No Replies

Reverse Proxy with TLS achieved by backend(s)

     
12:40 am on Nov 6, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


(didn't know in which category to post, so if a mod wants to move it in a more appropriate place, this is fine, of-course)

Hi,

I would like to:
- set up a frontend server (F),
- two backend servers (B1) and (B2),
- I would like the TLS handshake and encryption to be achieved at the level of the backends.

How to make so the Frontend forwards the traffic "transparently"?

I can do this using iptable, but I'd like something a bit more flexible, with fallback, if a backend server is unavailable.

However, when I check reverse proxies like HAProxy, Nginx, etc... each time, it's the front end which is handling the TLS process.

I don't know if I am clear , I am confusing myself :)

Regards,
4:06 am on Nov 6, 2018 (gmt 0)

Administrator

WebmasterWorld Administrator phranque is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Aug 10, 2004
posts:11875
votes: 246


you want a non-encrypted protocol (http) to connect the user agent to the front end server and all encrypted traffic (https) between the front end and back end servers?
9:52 am on Nov 6, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


you want a non-encrypted protocol (http) to connect the user agent to the front end server and all encrypted traffic (https) between the front end and back end servers?

no no :) I did not explain well.

I would like :

client => https => frontend => https => backend

and the answer:

backend => https => frontend => https => client

However, when I do this, with HAProxy or nginx there are TWO handshakes/encryption. One between the backend and the frontend, and another one between the frontend and the client.

I would like the frontend to be totally transparent and to pass the data directly between the backend and client, to avoid twice the handshake and encryption.

Sorry, if I am too confused about my explanations, then ignore me :)
6:30 pm on Nov 6, 2018 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1352
votes: 444


The 'usual' method is that the browser's HTTPS connection is direct to the server with the certificate, which in turn proxy to webservers et al, often via HTTP, although they can be HTTPS with an internal cert. I've never thought of (or how one might) simply transparently flow through front facing to backend servers - on the face of it it sounds like throwing security out the window - much as having browsers connect directly to backend.

Beyond that headscratching caution, without knowing the general architecture (hardware and software) a more precise answer is beyond me.
10:19 pm on Nov 6, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


In case it help someone else, one day, I think that what I am looking for is in fact called "TCP reverse proxy" HAProxy has something about that, and for nginx this is available since v1.9 : [nginx.org...]

So I need to study all this.
8:05 pm on Nov 7, 2018 (gmt 0)

Senior Member from CA 

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month

joined:Nov 25, 2003
posts:1352
votes: 444


Interesting.

I do use HAProxy as reverse proxy load balance but had never noted the straight through TCP option.

On first reading I'm still inclined to see it as a security risk and analytics concern. That it would shatter my current configuration is also a problem :)

Should you care to share why you think it a good idea and should you implement it how it works in practice I'd be most interested.
7:09 pm on Nov 8, 2018 (gmt 0)

Preferred Member

Top Contributors Of The Month

joined:Sept 13, 2018
posts:355
votes: 71


Should you care to share ...

So far, I am just exploring possibilities... so I don't have concrete arguments, and I have no idea, if it's good or bad idea.

My thinking is about avoiding to encrypt things twice.