SSL reverse proxy

From: Colin Campbell <>
Date: Mon, 29 May 2000 17:54:05 +1000 (EST)


I might be able to shed a little light on why it isn't possible to reverse
proxy HTTPS connections. Most of this knowledge comes from Netscape
documentation surprisingly enough!

The problem with reverse proxying of HTTPS is where to terminate the
encryption. You can have one of three scenarios.

1) SSL from browser to proxy and cleartext from proxy to server. This
isn't too bad if the server is close to the proxy. However the server
cannot prove its identity to the browser cos the browser can only see the
proxy's certificate. The server can never see a browser certificate so
browser authentication is impossible.

2) cleartext from browser to proxy and SSL from proxy to server.

3) SSL from browser to proxy and *different* SSL from proxy to server.
More point than (2) and more secure than (1) since both paths are
encrypted. However the browser cannot authenticate the server since it can
only ever see the proxy's certificate and the server will only ever see
the proxy's certificate. Consequently we are still stuck with neither the
browser nor the server being able to authenticate each other.

The problem arises because the proxy can not see what's in the SSL channel
without deciphering it. It can only deciper it by being an SSL endpoint.
By doing so there can never be any end-to-end authentication.


Colin Campbell
Unix Support/Postmaster/Hostmaster
+61 7 3224 5069
Received on Mon May 29 2000 - 01:57:38 MDT

This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:53:35 MST