reverse proxying SSL with open source software

From: Paul Boyer <Paul.Boyer@dont-contact.us>
Date: Sun, 07 Nov 1999 17:22:00 +0100

Thanks for the responses.

I got several responses telling that decrypting SSL on a proxy would be
a lack of security, making it possible to someone "in the middle" to
snoop everything that passes through.
My need was more making a HTTP server reachable by HTTPS only, via a
preverse proxy handling the SSL part, and passing back to a HTTP server.

but Yes, it is true. It _IS_ a security problem of SSL itself, also know
as the "Man in the middle" attack. The only possible way to avoid it
would be that the client could authenticate the server's key, and make
sure it is not an unknown proxy's key that would be untrusted.

There is nothing new in this being a vulnerability. For me, it is a
feature of HTTPS. There is some cases where this could be a usefull
feature :

* Add SSL to some web server that can't properly handle it
typically, if you want to make some odd web server reachable from the
Internet, you can handle authentication with your firewall, but would
like to get the whole thing encrypted. That kind of a proxy would be a
great help.
* Enforce the encryption used.
If you have a weak 40bit SSL module on a Web server and want to do
128bit SSL, that would be a great help too.
* Performance :
You can have a farm of web servers doing primarily HTTP, but each can do
some HTTPS for some few pages. They are all using load balancing, etc.
You can simply plug a reverse proxy that handles the HTTPS thing, with
only one single key, and let the web servers do HTTP to the proxy.
* Content-filtering :
typically Anti-virus could be effective on HTTPS downloads, protecting a
company's Internet downloads. Privacy concerns are then ruleds by ethic
and security policies. That last use is more controversial because it is
on the client side, not operated by the Web server owner...

There is also a "Bad Thing(tm)" that can be done using this: putting a
reverse https/https proxy in the middle of some innocent E-commerce
connections, and record some sensitive information. This already exist
for sure, I never though someting was doable without soon discovering
someone did it before ;
If it is a bad guy doing it, it is not open source.

HTTPS is _LOW_ protection, for sure, and that can be usefull. I want to
use this feature.
I also would be _HAPPY_ to welcome a more robust security for privacy,
and I am thinking in some possibilities that I need to test, but it is
an other point.

From what Jeffrey wrote, it seems clearer the proper solution is more on
the Apache side than the Squid one, so may be this post should go to an
other list (any suggestions ?) but I can't beleive this has not yet been
done on Squid and/or Apache, since it _IS_ featured on Netscape proxy
AND MS-Proxy.

Just trying to to reinvent the wheel.

Thanks,
Paul

Jeffrey Borg wrote:
>
> It could be done in theory look below
>
> On Sat, 6 Nov 1999, Paul Boyer wrote:
>
> > Dave J Woolley wrote:
> > >
> > > > I will try to keep this specific to Squid. My question is: does Squid
> > > > have
> > > > anything at all, whatsoever, to do with SSL requests coming to its own
> > > > SSL port? If the answer is no, then I need to find out about Checkpoint 1
> > > >
> > > As far as I know, squid has no SSL port. It certainly
> > > has no code that can decrypt SSL.
> >
> > MS-Proxy is able to receive a SSL connection, decrypt it by itself, and
> > reverse proxy it to a Web server.
> >
> > MS-proxy uses the IIS a bility to do SSL.
> >
> > Now, the question is : What is the solution to get this working on a
> > Linux environment :
> >
> >
> > web client ----HTTPS----> reverse proxy ------HTTP-----> Web server
> >
> > This is the only way I know of to to content filtering on a SSL link.
> >
> > That could also be used for :
> >
> > web server <----HTTPS 1--- ssl/clear content-filtering (Anti Virus)
> > clear/ssl <---HTTPS 2-----
> >
> > HTTPS 1 and HTTPS 2 _DO_NOT_ share the same key.
> >
> > Does anyone have a clue on how such kind of a solution can be built on
> > Linux, using Squid, Apache, or any other GPL tool ?
>
> A) in apache alias everything to the one script (not sure how its done but
> it's doable - if you ask I can find out as I do it for a web redirection)
> B) you then need a ascript which passes to another web server exactly the
> GET/POST/WHATEVER METHOD THAT IS USED + headers you ant passed thru to
> form a new http request to a backend server - then whatever it returns
> your return. (it could be written as an apache module too = faster?)
> (if you want to pass 404's and the like thru as well use a nph-scriptname
> to do that job fr you as you can specify all the headers.
>
> That would be pretty much it, BUT it would be far easier to install
> mod_ssl (unless it's a specialised web server which does not do ssl) on
> the backend web server and use some tcp plug to pipe traffic on port 443
> to the backend server.
>
> basically the point is that whereever it going to be decrypted you will
> need a web server capable of talking ssl.
>
> (as far as trying to do content filtering in the proxy forget it ssl
> can not be snooped upon (otherwise it wouldn't be secure :-))
>
> Jeff
Received on Sun Nov 07 1999 - 09:33:24 MST

This archive was generated by hypermail pre-2.1.9 : Wed Apr 09 2008 - 11:57:32 MDT