Re: Haproxy+Nginx SSL Insecurities

From: John T Skarbek <jtslear#gmail.com>
Date: Thu, 8 Jul 2010 16:10:04 -0400


Hey guys,

Thanks for the input. I ended up settling on the following configuration type:
in haproxy:
listen something.com

        bind 172.168.1.1:80
        acl acl_port_80 dst_port eq 80
        acl acl_secure hdr(amISecure) YES
        cookie SERVERID insert indirect nocache
        redirect location https://something.com/sslRedirect.htm code 301 if
acl_port_80 !acl_secure
        server www100 172.168.1.100 cookie www100 weight 1 check inter 1s
fall 3 rise 2
        option httpchk GET /ping.htm HTTP/1.1\r\nHost:something.com
        capture request header X-Forwarded-For len 15

and in nginx:
location / {

                        proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
                        proxy_set_header amISecure YES;
                        proxy_pass      http://something.com;
                }

I also wanted to thank you guys for the feedback, I appreciated it.

John T. Skarbek
B.S.Computer Science Networking
Radford University
jskarbek#radford.edu
434.770.3089
Radford, VA 24142

On Sat, Jul 3, 2010 at 12:59 PM, Willy Tarreau <w#1wt.eu> wrote:

> On Sat, Jul 03, 2010 at 11:23:16AM -0400, John T Skarbek wrote:
> > Chris,
> >
> > Thanks for responding. I had thought of the option you mention. However
> I
> > discontinued it quickly. The reason I'm not a big fan, is that those
> header
> > values can be hacked quite easily. Granted the end user (hacker) may not
> > know the specific value that must hold. There are even plugins to
> browsers
> > that help end users view headers and modify them any which way they
> choose.
>
> hey, just remove the header from the HTTP proxy ;-)
> Having a front reverse-proxy set the information about SSL is quite common
> anyway. With stunnel, what is common is to forward the deciphered SSL
> traffic to 127.0.0.1, so that haproxy knows for sure it was SSL. There
> is nothing wrong with proceeding that way with nginx.
>
> Regards,
> Willy
>
>
Received on 2010/07/08 22:10

This archive was generated by hypermail 2.2.0 : 2010/07/08 22:15 CEST