Can apache mod_cache cache responses for an https-only resource if apache terminates the ssl connection?

Trevor Giddings asked:

If an apache server is acting as a reverse-proxy that terminates the ssl connection, is it able to cache responses? I know that the encrypted responses with ssl cannot themselves be cached, but if apache terminates the ssl connection, it should have access to the unencrypted responses. For clarification, the current apache configuration for the site is as follows:

<VirtualHost *:80>
    Redirect permanent /
<VirtualHost *:443>
    SSLEngine On
    SSLCertificateFile /etc/letsencrypt/live/
    SSLCertificateKeyFile /etc/letsencrypt/live/$
    ProxyRequests Off
    ProxyPass "/" ""
    ProxyPassReverse /

noting that the ProxyPass directive proxies to http and not https. Can I add caching in this scenario? If so, can I do it with the same configuration as with normal http caching, or is there something special I need to do? Also, feel free to point out if there are any big security holes in the configuration I posted.

Edit: would the answer be the same if proxied to another server via https with SSLProxyEngine?

My answer:

I don’t see why not, but your web application needs to be very explicit with Cache-Control headers. While the default for http is to cache, the default for https is not to cache (note that these are not official, but what browsers commonly do). If your app relies on the default behavior and does not set Cache-Control appropriately on every response then you may find strange things happen when you switch to https.

View the full question and any other answers on Server Fault.

Creative Commons License
This work is licensed under a Creative Commons Attribution-ShareAlike 3.0 Unported License.