[Ach] Reverse proxies / HTTPS frontend servers.

L. Aaron Kaplan kaplan at cert.at
Wed Nov 20 00:32:58 CET 2013 

On Nov 19, 2013, at 12:27 PM, Oliver J. Morais <oliver.morais at gmail.com> wrote:

> Hi folks,
> let me introduce myself: My name ist Oliver and I work in the
> IT-department of a large hospital.
> 
> I'd like to introduce a section concerning reverse-proxies used
> as HTTPS frontend servers, especially for "Pound". (See
> http://www.apsis.ch/pound or https://help.ubuntu.com/community/Pound)
> 

How common is "pound" ?
How many people use it?


> Below you'll find a (very simple) example config where HTTPS sessions
> are terminated on the reverse proxy using TLSv1.2/AES256 and then 
> forwarded as HTTP to a backend server.
> 
> ## HTTPS Listener
> ListenHTTPS
>    Address      10.10.0.10
>    Port         443
>    AddHeader    "Front-End-Https: on"
>    Cert         "/path/to/your/cert.pem"
>    ## See 'man ciphers'.
>    Ciphers     "+TLSv1.2:!SSLv3:!SSLv2:AES256:!aNULL:!eNULL:!NULL"
>    Service
>        BackEnd
>            Address 10.20.0.10
>            Port 80
>        End
>    End
> End
> 
> The configuration shown above leads to the following output:
> $ nmap --script ssl-enum-ciphers -p 443 10.10.0.10

^^^^^^^^^^^^^^^^^ IMHO *that* nmap trick should be in the tools section :)
Nice! Didn't know that one yet.


> [...]
> PORT    STATE SERVICE
> 443/tcp open  https
> | ssl-enum-ciphers: 
> |   TLSv1.2
> |     Ciphers (4)
> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
> |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
> |       TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
> |       TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
> |     Compressors (1)
> |       NULL

Looks good upon first inspection.

> |_  Least strength = unknown strength
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

--- 
// L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
// CERT Austria - http://www.cert.at/
// Eine Initiative der nic.at GmbH - http://www.nic.at/
// Firmenbuchnummer 172568b, LG Salzburg




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 163 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131120/e3c85897/attachment.sig>

More information about the Ach mailing list