Public key of a host operating behind a reverse proxy is associated with the proxy's Host Identity in a Host Identity Protocol session

摘要

Utilising the normal Host Identity Protocol (HIP) it is difficult to establish a secure session with a host operating from behind a reverse proxy, such as a server in a web cluster. To overcome this the host sends its public key to the reverse proxy, which then binds the key to its own host identity (HI). An external host will then establish a communication link with the reverse proxy's HI using the original host's public key. The reverse proxy forwards these message to the original host, which deals with them in the normal fashion, except that replies are also directed to the reverse proxy's HI, with the reverse proxy forwarding the communication after replacing the original host's signature with its own. This arrangement allows the establishment of a secure HIP session between the hosts without the need for the reverse proxy to de/re-encrypt the communications.