Ive done something similar (dont remmber config details now, sorry),
basically lighttpd was used as frontend for both http and https traffic
(i used it for compressing too) it:
1.Removed header called "SSL"
2. Added "SSL: Yes"
So even if someone sends evil headers they will get removed
or u can prolly make rule in haproxy to add "SSL: Yes" header if it comes from localhost and remove it if it doesn't Dnia 2010-07-03, sob o godzinie 11:23 -0400, John T Skarbek pisze:
> Chris,
>
>
>
> Thanks for responding. I had thought of the option you mention.
> However I discontinued it quickly. The reason I'm not a big fan, is
> that those header values can be hacked quite easily. Granted the end
> user (hacker) may not know the specific value that must hold. There
> are even plugins to browsers that help end users view headers and
> modify them any which way they choose.
>
> John T. Skarbek
> B.S.Computer Science Networking
> Radford University
>
>
>
> On Sat, Jul 3, 2010 at 9:59 AM, Chris Sarginson <chris#sargy.co.uk>
> wrote:
>
>
>
>
> On 3 Jul 2010, at 14:51, John T Skarbek wrote:
>
>
>
> > Good Morning,
> >
> >
> >
> > I'm testing out a solution to use nginx for ssl decryption
> > to pass off requests to haproxy. During the thought process
> > of everything, and later during testing, I noticed that all
> > I'd need to do in the clients web browser is to simply take
> > out the 's' on 'https' and all traffic will flow unencrypted
> > just dandily. I really don't want that to happen. So I
> > thought of a couple of ideas:
> > * I was thinking of a solution to simply deny port 80
> > traffic from the outside world, but then I do have a
> > couple of pages which do not require ssl. Users
> > that don't put the 'https' in the address bar by
> > default will sit at a blank page and I don't want to
> > have to manage the firewall when creating sites.
> > * I was then thinking of having nginx watching that
> > port on specific sites for unencrypted traffic, but
> > then I'm mixing services and that isn't the greatest
> > when planning for future sites and simply seems
> > convoluted to me.
> > * My last though was to haproxy use some sort of acl
> > to listen to where requests come from. If anything
> > from the outside world, redirect them to a web page
> > that forces ssl. Doing this would require me to
> > have another entry to listen for the source being
> > itself as decreypted communications from nginx would
> > then possibly be sent to the redirect page also.
> > Does anyone have any thoughts or a
> > better recommended solution?
> >
> > John T. Skarbek
> > B.S.Computer Science Networking
> > Radford University
>
>
>
> John,
>
>
> I use Nginx to insert a header (X-Forwarded-Proto: https), and
> just check that the header exists with haproxy. If it
> doesn't, use the redirect prefix option in haproxy to force
> SSL.
>
>
> Hope this helps
>
>
> Chris
>
>
>
-- Mariusz Gronczewski (XANi) <xani666#gmail.com> GnuPG: 0xEA8ACE64 http://devrandom.plReceived on 2010/07/03 18:56
- application/pgp-signature attachment: This is a digitally signed message part
This archive was generated by hypermail 2.2.0 : 2010/07/03 19:00 CEST