[Ach] Reverse proxies / HTTPS frontend servers.
Oliver J. Morais
oliver.morais at gmail.com
Tue Nov 19 12:27:50 CET 2013
Hi folks,
let me introduce myself: My name ist Oliver and I work in the
IT-department of a large hospital.
I'd like to introduce a section concerning reverse-proxies used
as HTTPS frontend servers, especially for "Pound". (See
http://www.apsis.ch/pound or https://help.ubuntu.com/community/Pound)
Below you'll find a (very simple) example config where HTTPS sessions
are terminated on the reverse proxy using TLSv1.2/AES256 and then
forwarded as HTTP to a backend server.
## HTTPS Listener
ListenHTTPS
Address 10.10.0.10
Port 443
AddHeader "Front-End-Https: on"
Cert "/path/to/your/cert.pem"
## See 'man ciphers'.
Ciphers "+TLSv1.2:!SSLv3:!SSLv2:AES256:!aNULL:!eNULL:!NULL"
Service
BackEnd
Address 10.20.0.10
Port 80
End
End
End
The configuration shown above leads to the following output:
$ nmap --script ssl-enum-ciphers -p 443 10.10.0.10
[...]
PORT STATE SERVICE
443/tcp open https
| ssl-enum-ciphers:
| TLSv1.2
| Ciphers (4)
| TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
| TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
| TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
| TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
| Compressors (1)
| NULL
|_ Least strength = unknown strength
More information about the Ach
mailing list