Help with IP Detection when using SSL
Reinis Rozitis
r at roze.lv
Wed Dec 4 14:47:32 CET 2013
> Unfortunately due to strict security requirements we are not able to
> offload SSL onto the load balancer/cache it has to go to apache.
Can you clarify this?
In this scenario you can't even use anything besides a tcp balancer since
you can't simply put a plain http cache/proxy like nginx or varnish between
as it needs to read (and alter) the http headers which would beat all the
ssl/encryption purpose ("man in the middle").
Of course nginx can proxy also https traffic (like proxy_pass
https://yoursite;) to backends but it would still need the SSL certificates
for the https to function on client side.
This is why usually the SSL offloading is done on the top level (in your
case it would be nginx which then passes the X-Forwarded-For header to
varnish which further passes it to apache and apache converts it to client
ip).
rr
More information about the varnish-misc
mailing list