0

Context

  • We currently have an Apache web server in the DMZ set up as a reverse proxy and load balancer for two machines running Windows Server 2008 (IIS) inside.
  • The Apache server has a genuine SSL certificate and serves up both http and https, however, the balancer members in the load balancing section are set to: BalancerMember {https://server1} and
    {https://server2}.
  • The IIS web servers have self-signed certificates in order to respond to the https requests.

My question: Do we need to forward any requests from Apache (in the DMZ) to the inside using SSL?

e.g can the reverse proxy forward the requests using HTTP? and if so, why would I choose to forward them with SSL? (how secure is the http line between the dmz and the inside);

In other words, can I totally disable SSL on my inside web servers?

Improve this question

1 Answer 1

Reset to default
1

Yes, there's no reason you can't disable SSL between the proxy/LB and the IIS servers, and remove SSL from the IIS servers. Whether you should or not does depend on how much you trust your local network between the DMZ and the IIS.

Improve this answer
2
  • That's correct. However, some web applications may try to detect whether the connection is HTTPS. If so, you may need to do something to fake out the load-balanced member into believing that the original request was made over HTTPS. Commented Dec 18, 2012 at 4:22
  • @200_success Valid point; if the code running on the server varies it's behaviour depending on whether the connection is HTTP/HTTPS then you may need to connect the same way as the client is connecting to the LB to ensure consistent behaviour. Commented Dec 18, 2012 at 5:39

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.