Hello Jim, Thanks for the warning!
In my case the HTTP traffic is only between the reverse proxy and a virtual machine running on the same host. With my knowledge the traffic can only be intercepted when someone breaks into my system. It's a personal cloud service and I don't think many people are interested in it. I'm talking about this set-up: https://jeroenverhoeckx.com/build-your-own-personal-cloud.html So, I think I'm relatively safe :-) . Jeroen -------------------------------------------------------- Support the independent web, use [Firefox](https://www.mozilla.org/en-US/firefox/new/) ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Thursday, January 13th, 2022 at 11:34 PM, Jim Albert <j...@netrition.com> wrote: > With regard to: > reverse proxy --> HTTP --> back-end server > and in respect to the sensitivity of your requests and responses, you might > want to consider any security implications or if this violates any compliance > requirements depending on the proximity of your proxy to your back-end > server. It's likely the proxy -> back-end server stays within a very tight > environment. However, that request and response is traveling some segment of > network whether physical or virtual and likely only yours, unencrypted or > perhaps protected at most by VPN encryption. > > On 1/13/2022 5:05 PM, Jeroen Verhoeckx wrote: > >> Hello Dino / HTH, >> >> Thank you for your very elaborate answer!! >> >> Your 'diagram' made it very clear! >> Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS >> requests made by your clients) --> Your internal backend(s) (answer to HTTPS >> requests coming from your proxy). >> >> It's also good to know that I set-up my reverse proxy in the correct way >> (only installing the SSL certificates on the reverse proxy). >> My set-up is: Clients --> HTTPS - -> reverse proxy --> HTTP --> back-end >> server >> >> There is no need in my set-up to use HTTPS between the reverse proxy and the >> back-end server. >> >> Thanks for clarification! >> >> Jeroen >> >> -------------------------------------------------------- >> Support the independent web, use >> [Firefox](https://www.mozilla.org/en-US/firefox/new/) >> >> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >> On Thursday, January 13th, 2022 at 7:15 PM, Dino Ciuffetti >> [<d...@tuxweb.it>](mailto:d...@tuxweb.it) wrote: >> >>> Apache httpd works at layer 7 (HTTP/HTTPS). >>> You CANNOT have a reverse proxy at layer 4 with apache httpd where the X509 >>> certificates are only needed on your backends (like HAProxy does). >>> >>> Clients --> INTERNET --> Apache httpd reverse proxy (answer to HTTPS >>> requests made by your clients) --> Your internal backend(s) (answer to >>> HTTPS requests coming from your proxy). >>> >>> The traffic between your internet clients and apache httpd is protected via >>> TLS protocol (HTTPS) so you need a X509 certificate and its private key on >>> your httpd public facing reverse proxy virtual host to terminate TLS >>> internet traffic to your reverse proxy. >>> >>> If you also want your reverse proxy to talk to your internal backend(s) via >>> HTTPS you also need a X509 certificate and private key on your HTTPS >>> backend servers. >>> >>> RECAP: You will need a certificate released by a public (known to all major >>> browsers) Certification Authority for your reverse proxy and a certificate >>> released by a private Certification Authority (only known by your proxy and >>> your backends) on your backends. You could even use self signed >>> certificates on your private side, or mantain a private CA by yourself via >>> openssl. >>> >>> HTH >>> >>> 13 gennaio 2022 12:58, "Jeroen Verhoeckx" >>> <[j.verhoe...@protonmail.com.invalid](mailto:j.verhoe...@protonmail.com.invalid?to=%22Jeroen%20Verhoeckx%22%20<j.verhoe...@protonmail.com.invalid>)> >>> wrote: >>> >>>> Thanks, great to know that it is possible! >>>> >>>> You write that you need to install the SSL certificates on both the >>>> reverse proxy and in the virtual machine (or another local server)? >>>> Is that really necessary? I try to avoid duplication whenever that is >>>> possible. >>>> >>>> Do you have an example set-up somewhere? >>>> >>>> Thanks!! >>>> >>>> -------------------------------------------------------- >>>> Support the independent web, use >>>> [Firefox](https://www.mozilla.org/en-US/firefox/new/) >>>> >>>> ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ >>>> On Wednesday, January 12th, 2022 at 5:23 PM, Dino Ciuffetti >>>> <d...@tuxweb.it> wrote: >>>> >>>>>> My question: >>>>>> Would it have been possible to install the SSL certificates in the >>>>>> virtual machines? >>>>> >>>>> YES. It's possibile to send Internet HTTPS traffic to an internal HTTPS >>>>> service behind apache httpd as a reverse proxy. >>>>> You eventally need to install same SSL certificates (but you don't have >>>>> to necessarily) on both the reverse proxy and the internal service, >>>>> enable SSLProxyProtol on your VHs and send the traffic to HTTPS via your >>>>> ProxyPass.
