Make lighttpd (lighty) proxy forward HTTPS requests based on Server Name Indication and without returning an SSL cert

Question

I am currently using lighty as a load-balancing reverse-proxy for two different webapps running on a small farm of HTTP servers:

• roundrobbin(URL_1) => Server_Group_1
• roundrobbin(URL_2) => Server_Group_2

I want to convert the HTTP servers to HTTPS servers. URL_1 has CERT_1 and URL_2 has CERT_2. Unlike many people, I do not want to serve certificates from the front-end proxy. I want the front-end proxy to pass the HTTPS requests to secondary proxies: Proxy_1 (serves CERT_1) and Proxy_2 (serves CERT_2).

This should be possible with SNI (Server Name Indication). But everything I have read about SNI gives the example of front-end proxy serving both certs. I do not want to put both of my certs on the fron-end proxy. Call me crazy, but I actually want to hold the certs closer to the apps.

This might seem like a lot of trouble for two URLs. It is. My real case involves dozens of URLs. So it might might seem silly not to store all the certs in one place. But there are 'organizational considerations' which make it advantageous to administer them separately.

So basically, I want to use SNI for pure forwarding and defer SSL termination to downstream.

Thanks for reading. I expect to learn a lot from this!

Answer 1

What you're trying to do doesn't rely on an HTTP reverse proxy but on a reverse proxy at the TCP connection level, with the additional capability of being able to recognise an SSL/TLS Client Hello, look for the Server Name extension and dispatch accordingly.

I realise this isn't quite the answer you're looking for, but I wouldn't look at HTTP servers for this.

It looks like this project might be able to do this (I haven't tried).