Reverse Proxy with TLS achieved by backend(s)

Forum Moderators: phranque

Message Too Old, No Replies

Reverse Proxy with TLS achieved by backend(s)

justpassing

12:40 am on Nov 6, 2018 (gmt 0)

(didn't know in which category to post, so if a mod wants to move it in a more appropriate place, this is fine, of-course)

Hi,

I would like to:
- set up a frontend server (F),
- two backend servers (B1) and (B2),
- I would like the TLS handshake and encryption to be achieved at the level of the backends.

How to make so the Frontend forwards the traffic "transparently"?

I can do this using iptable, but I'd like something a bit more flexible, with fallback, if a backend server is unavailable.

However, when I check reverse proxies like HAProxy, Nginx, etc... each time, it's the front end which is handling the TLS process.

I don't know if I am clear , I am confusing myself :)

Regards,

phranque

4:06 am on Nov 6, 2018 (gmt 0)

you want a non-encrypted protocol (http) to connect the user agent to the front end server and all encrypted traffic (https) between the front end and back end servers?

justpassing

9:52 am on Nov 6, 2018 (gmt 0)

you want a non-encrypted protocol (http) to connect the user agent to the front end server and all encrypted traffic (https) between the front end and back end servers?

no no :) I did not explain well.

I would like :

client => https => frontend => https => backend

and the answer:

backend => https => frontend => https => client

However, when I do this, with HAProxy or nginx there are TWO handshakes/encryption. One between the backend and the frontend, and another one between the frontend and the client.

I would like the frontend to be totally transparent and to pass the data directly between the backend and client, to avoid twice the handshake and encryption.

Sorry, if I am too confused about my explanations, then ignore me :)

iamlost

6:30 pm on Nov 6, 2018 (gmt 0)

The 'usual' method is that the browser's HTTPS connection is direct to the server with the certificate, which in turn proxy to webservers et al, often via HTTP, although they can be HTTPS with an internal cert. I've never thought of (or how one might) simply transparently flow through front facing to backend servers - on the face of it it sounds like throwing security out the window - much as having browsers connect directly to backend.

Beyond that headscratching caution, without knowing the general architecture (hardware and software) a more precise answer is beyond me.

justpassing

10:19 pm on Nov 6, 2018 (gmt 0)

In case it help someone else, one day, I think that what I am looking for is in fact called "TCP reverse proxy" HAProxy has something about that, and for nginx this is available since v1.9 : [nginx.org...]

So I need to study all this.

iamlost

8:05 pm on Nov 7, 2018 (gmt 0)

Interesting.

I do use HAProxy as reverse proxy load balance but had never noted the straight through TCP option.

On first reading I'm still inclined to see it as a security risk and analytics concern. That it would shatter my current configuration is also a problem :)

Should you care to share why you think it a good idea and should you implement it how it works in practice I'd be most interested.

justpassing

7:09 pm on Nov 8, 2018 (gmt 0)

Should you care to share ...

So far, I am just exploring possibilities... so I don't have concrete arguments, and I have no idea, if it's good or bad idea.

My thinking is about avoiding to encrypt things twice.