[Ach] Reverse proxies / HTTPS frontend servers.

Aaron Zauner azet at azet.org
Wed Nov 20 01:06:21 CET 2013 

On 20 Nov 2013, at 00:32, L. Aaron Kaplan <kaplan at cert.at> wrote:

> 
> On Nov 19, 2013, at 12:27 PM, Oliver J. Morais <oliver.morais at gmail.com> wrote:
> 
>> Hi folks,
>> let me introduce myself: My name ist Oliver and I work in the
>> IT-department of a large hospital.
>> 
>> I'd like to introduce a section concerning reverse-proxies used
>> as HTTPS frontend servers, especially for "Pound". (See
>> http://www.apsis.ch/pound or https://help.ubuntu.com/community/Pound)
>> 
> 
> How common is "pound" ?
> How many people use it?
A lot of people use that. We should include it in the paper, it’s a good product.

I’d include varnish as well - but they chose to exclude TLS stuff on purpose (see: https://www.varnish-cache.org/docs/trunk/phk/ssl.html )

Aaron

> 
> 
>> Below you'll find a (very simple) example config where HTTPS sessions
>> are terminated on the reverse proxy using TLSv1.2/AES256 and then 
>> forwarded as HTTP to a backend server.
>> 
>> ## HTTPS Listener
>> ListenHTTPS
>>   Address      10.10.0.10
>>   Port         443
>>   AddHeader    "Front-End-Https: on"
>>   Cert         "/path/to/your/cert.pem"
>>   ## See 'man ciphers'.
>>   Ciphers     "+TLSv1.2:!SSLv3:!SSLv2:AES256:!aNULL:!eNULL:!NULL"
>>   Service
>>       BackEnd
>>           Address 10.20.0.10
>>           Port 80
>>       End
>>   End
>> End
>> 
>> The configuration shown above leads to the following output:
>> $ nmap --script ssl-enum-ciphers -p 443 10.10.0.10
> 
> ^^^^^^^^^^^^^^^^^ IMHO *that* nmap trick should be in the tools section :)
> Nice! Didn't know that one yet.
> 
> 
>> [...]
>> PORT    STATE SERVICE
>> 443/tcp open  https
>> | ssl-enum-ciphers: 
>> |   TLSv1.2
>> |     Ciphers (4)
>> |       TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
>> |       TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
>> |       TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
>> |       TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
>> |     Compressors (1)
>> |       NULL
> 
> Looks good upon first inspection.
> 
>> |_  Least strength = unknown strength
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
> 
> --- 
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
> 
> 
> 
> 
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131120/020e4def/attachment.sig>

More information about the Ach mailing list