[Ach] Reverse proxies / HTTPS frontend servers.
Aaron Zauner
azet at azet.org
Wed Nov 20 01:06:21 CET 2013
On 20 Nov 2013, at 00:32, L. Aaron Kaplan <kaplan at cert.at> wrote:
>
> On Nov 19, 2013, at 12:27 PM, Oliver J. Morais <oliver.morais at gmail.com> wrote:
>
>> Hi folks,
>> let me introduce myself: My name ist Oliver and I work in the
>> IT-department of a large hospital.
>>
>> I'd like to introduce a section concerning reverse-proxies used
>> as HTTPS frontend servers, especially for "Pound". (See
>> http://www.apsis.ch/pound or https://help.ubuntu.com/community/Pound)
>>
>
> How common is "pound" ?
> How many people use it?
A lot of people use that. We should include it in the paper, it’s a good product.
I’d include varnish as well - but they chose to exclude TLS stuff on purpose (see: https://www.varnish-cache.org/docs/trunk/phk/ssl.html )
Aaron
>
>
>> Below you'll find a (very simple) example config where HTTPS sessions
>> are terminated on the reverse proxy using TLSv1.2/AES256 and then
>> forwarded as HTTP to a backend server.
>>
>> ## HTTPS Listener
>> ListenHTTPS
>> Address 10.10.0.10
>> Port 443
>> AddHeader "Front-End-Https: on"
>> Cert "/path/to/your/cert.pem"
>> ## See 'man ciphers'.
>> Ciphers "+TLSv1.2:!SSLv3:!SSLv2:AES256:!aNULL:!eNULL:!NULL"
>> Service
>> BackEnd
>> Address 10.20.0.10
>> Port 80
>> End
>> End
>> End
>>
>> The configuration shown above leads to the following output:
>> $ nmap --script ssl-enum-ciphers -p 443 10.10.0.10
>
> ^^^^^^^^^^^^^^^^^ IMHO *that* nmap trick should be in the tools section :)
> Nice! Didn't know that one yet.
>
>
>> [...]
>> PORT STATE SERVICE
>> 443/tcp open https
>> | ssl-enum-ciphers:
>> | TLSv1.2
>> | Ciphers (4)
>> | TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
>> | TLS_DHE_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
>> | TLS_RSA_WITH_AES_256_CBC_SHA256 - unknown strength
>> | TLS_RSA_WITH_AES_256_GCM_SHA384 - unknown strength
>> | Compressors (1)
>> | NULL
>
> Looks good upon first inspection.
>
>> |_ Least strength = unknown strength
>> _______________________________________________
>> Ach mailing list
>> Ach at lists.cert.at
>> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
>
> ---
> // L. Aaron Kaplan <kaplan at cert.at> - T: +43 1 5056416 78
> // CERT Austria - http://www.cert.at/
> // Eine Initiative der nic.at GmbH - http://www.nic.at/
> // Firmenbuchnummer 172568b, LG Salzburg
>
>
>
>
> _______________________________________________
> Ach mailing list
> Ach at lists.cert.at
> http://lists.cert.at/cgi-bin/mailman/listinfo/ach
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1091 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.cert.at/pipermail/ach/attachments/20131120/020e4def/attachment.sig>
More information about the Ach
mailing list