How apache reverse proxy can be configured without breaking the https tunnel between client & server?

Question

I have configured apache reverse proxy. In that configuration https connection is possible between client to reverse proxy and again reverse proxy to server. But I want https connection between client to server like forward proxy. The https connection should not be broken at reverse proxy.

     Https tunnel                   New Https tunnel
    <===============>             <===================>

Client-----------------------Apache Reverse proxy ----------------------------Server

Above solution is not desirable.

                  Https Tunnel
   <========================================>

Client--------------------Apache Reverse proxy ----------------Server

Above solution is desirable.

If end to end https tunnel is not possible in reverse proxy then how can it be ensured that ssl proxying option is safe and even the Reverse proxy administrator(if reverse proxy got compromised) can not decrypt the tunnel or man in middle attack can't be done.

Answer 1

You can't. Because HTTPS by design guarantees that the sender is talking to the receiver via certificates. Your proxy here would be "the man in the middle" :-)

See http://en.wikipedia.org/wiki/Reverse_proxy

In the case of secure websites, a web server may not perform SSL encryption itself, but instead offloads the task to a reverse proxy that may be equipped with SSL acceleration hardware. (See SSL termination proxy.)

What you can do

Client------Apache Reverse proxy----SC--------------SS---------Server
            HTTPS                           SSL           HTTP        
            (listen to 443)          

Where SC = Stunnel Client and SS = Stunnel Server

SC must run in the same machine as your apache reverse proxy, while SS must run in your server target.