[Ach] Reverse proxies / HTTPS frontend servers.
L. Aaron Kaplan
kaplan at cert.at
Wed Nov 20 00:32:58 CET 2013
On Nov 19, 2013, at 12:27 PM, Oliver J. Morais <oliver.morais at gmail.com> wrote:
> Hi folks,
> let me introduce myself: My name ist Oliver and I work in the
> IT-department of a large hospital.
>
> I'd like to introduce a section concerning reverse-proxies used
> as HTTPS frontend servers, especially for "Pound". (See
> http://www.apsis.ch/pound or https://help.ubuntu.com/community/Pound)
>
How common is "pound" ?
How many people use it?
> Below you'll find a (very simple) example config where HTTPS sessions
> are terminated on the reverse proxy using TLSv1.2/AES256 and then
> forwarded as HTTP to a backend server.
>
> ## HTTPS Listener
> ListenHTTPS
> Address 10.10.0.10
> Port 443
> AddHeader "Front-End-Https: on"
> Cert "/path/to/your/cert.pem"
> ## See 'man ciphers'.
> Ciphers "+TLSv1.2:!SSLv3:!SSLv2:AES256:!aNULL:!eNULL:!NULL"
> Service
> BackEnd
> Address 10.20.0.10
> Port 80
> End
> End
> End
>
> The configuration shown above leads to the following output:
> $ nmap --script ssl-enum-ciphers -p 443 10.10.0.10
^^^^^^^^^^^^^^^^^ IMHO *that* nmap trick should be in the tools section :)
Nice! Didn't know that one yet.
> [...]
> PORT STATE SERVICE
> 443/tcp open https
> | ssl-enum-ciphers:
> | TLSv1.2
> | Ciphers (4)
> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
> | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
> | TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
> | TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
> | Compressors (1)
> | NULL
Looks good upon first inspection.
> |_ Least strength = unknown strength
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
---
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131120/e3c85897/attachment.sig>
More information about the Ach
mailing list