On Wed, Jan 17, 2001 at 01:50:30PM +0100, Ola Muan wrote: > > We run IIS on Win2KServer as application server against Oracle inside > our firewall. Now we want to provide to our customers the ability to > access reports and such things on that IIS via the Internet. > > (..., ...) >
... didn't see too many responses yet, so I thought you might be interested in some more comments: I'm not sure whether I understood every detail of what are trying to achieve, in particular why you would want to bring the Apache into play. But, if I didn't misunderstand you too much, the best/most simple solution (imho) would be to leave the Apache out of the whole business and do a transparent TCP proxying (some prefer to call it port- forwarding) in your DMZ, so that the SSL packets get directly routed to your IIS server, which will then do everything else -- authentication, authorization, content serving, etc., just as you have it right now. Although I feel tempted to "sell" you an Apache-based all-in-Linux solution :-) , under the given circumstances, it's probably preferable to "not touch a running system" (at least if it is... :) With this solution your main task would be to talk to your firewall expert, and have him set things up appropriately. The new 2.4-kernel netfilter/iptables architecture offers very flexible configuration options, though mere port-forwarding should not be a problem for older kernels either. (I'd rather not give you any recipes here, because I'm definitely not a firewall expert :) I think the main issue boils down to the question, at which point to do the de-/encryption of the SSL protocol. With the above solution you'd leave that to the IIS. The TCP proxying would occur at a relatively low level, without any knowledge of the application-level protocols (HTTP(S),SSL), which means that the "proxy" won't be able to inspect URLs and HTTP headers, do caching of the content, or whatever else you might think of. All information you have (and can control) at this point is basically: IP address and port number -- the rest is simply tunneled through encrypted. If you really need to do proxying at the application level, then (and only then) the Apache+some-SSL reverse proxying solution would make sense, imho. In this case the Apache would handle the de-/encryption for the outbound side. This however seems to be the hardest way... especially if the IIS were still to speak HTTPS, for then, everything would have to be re-encrypted before sending the request to the real content server. Afaik, the usual Apache/mod_ssl/mod_proxy bundle would not be able to handle this reencryption, anyway, without doing some real programming (if anyone knows better, let me know...) On the inbound side (proxy<-->IIS) you might also consider using HTTP instead of HTTPS, which would considerably simplify things. That would, of course, depend on your LAN-internal security policies... Depending on where authentication/authorization is supposed to occur (I guess your database is involved here), you would, however, have to devise some means of passing on the relevant information you extracted from the client certificates, for example by using the "basic authentication" method from HTTP. I think I won't elaborate on this any further, as I anticipate that this is not really what you want... So, to sum up, I'd simply let the firewall machine forward the packets which are destined for port 443 and are originating from the allowed hosts/customers. > > (Another assumption: Opening the firewall for https-traffic on port 443 > is just as dangerous as opening for http-traffic on port 80. Again: > correct me if this isn't true.) this is mainly a question of the protocol spoken at the port and the application behind it, not so much the port number... :) > > I've had a look at Apache-SSL. But some recommend to use Apache and > mod_ssl instead. > > Which one is the best, and which proxy server works best in cooperation > with SSL? at the time I had to make that decision between Apache-SSL and Apache+mod_ssl, I tried both, and both worked well. I then decided to stick with the mod_ssl solution (for some minor reasons) and haven't had any problems since. (But that might not be relevant, anyway.) Hope that clarified things a little... Erdmut -- Erdmut Pfeifer science+computing gmbh -- Bugs come in through open windows. Keep Windows shut! --
