SSL, or is it?

By: Ian Winter

Tags:

  • apache
  • coldfusion
  • rails
  • ruby
  • ssl

We manage a number of sites with secure content. Installing SSL certificates and keys on multiple servers becomes a time consuming annoyance.

To ease this pain we've made use of a SSL decryption module added into our load balancers. Using the module means we can install the SSL certificate on the load balancer and it decrypts SSL traffic and then passes around internally using standard HTTP. This reduces the decryption load on the individual web servers leaving the dedicated module on the load balancer to handle all SSL.

This does however raise the problem that if internal servers see just HTTP traffic how do they know some traffic should be secure? This is important so that our application can work securely for areas of the site like credit card payment. We could check ports, but checking ports isn't ideal. The answer is simple. All you need is a request header set in your Apache config and you're away:

For our Ruby on Rails applications:

RequestHeader set X_FORWARDED_PROTO "https"

For our ColdFusion applications:

RequestHeader set HTTPS "on"

This means with simple header checks we can switch the behaviour of the application easily.


About the Author

Ian Winter

Ian Winter is Head of Technical Operations for Venntro. He manages a team of four engineers who provide 24/7/365 support and are responsible for over 120 physical, virtual, storage and network devices.