I'm configuring a DMZ which has the following Scheme:
Internet - Server A - Security Appliance - Server B - Intranet
In this DMZ I need a Proxy server for http(s) connections from the Intranet to Internet.
The Problem is, that all Traffic should be scanned by the Security Appliance. For this I have to terminate the SSL Connection at Server B, proxy it as plain http to Server A through the Security Appliance and then further as https into the Internet. An
encryption is then persistent between the Client and Server B and the Target Server and Server A. The communication between Server A and Server B is unencrypted.
I know about the security risks and that the client will see some warning about the unknown CA of Server B's certificate.
As Software I want to use Apache Web Servers on Server A and Server B.
As first step I tried to configure Server B that it serves as endpoint for the SSL
Encryption. So it has to establish the
encryption with the client (answering HTTP CONNECT).
Listen 8443
<VirtualHost *:8443>
ProxyRequests On
ProxyPreserveHost On
AllowCONNECT 443
# SSL
ErrorLog logs/ssl_error_log
TransferLog logs/ssl_access_log
LogLevel debug
SSLProxyEngine on
SSLProxyMachineCertificateFile /etc/pki/tls/certs/localhost_private_public.crt
<Proxy *>
Order deny,allow
Deny from all
Allow from 192.168.0.0/22
</Proxy>
</VirtualHost>
With this Proxy only the CONNECT request is passed through and an encrypted Connection between the client and the target is established. Unfortunately there is no possibility to configure mod_proxy_connect to decrypt the SSL connection. Is there any possibility to accomplish that kind of proxying with Apache?
