RE: [fw-wiz] HTTPS proxy solutions
lordchariot_at_earthlink.net
Date: 03/08/04
- Previous message: Stiennon,Richard: "RE: [fw-wiz] AIM to iChat AV"
- In reply to: Sigurd Urdahl: "[fw-wiz] HTTPS proxy solutions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: <firewall-wizards@honor.icsalabs.com> Date: Sun, 7 Mar 2004 21:58:27 -0500
I've done SSL termination before just by using an Apache web server with
mod_proxy and mod_rewrite.
Apache listens on the exterior (through a firewall), accepts the SSL
connection and forwards the clear text HTTP to another internal server. The
cert resides on the apache server and handles the encryption.
You can also do a moderate amount of redirection as well. i.e.
https://www.foo.com goes to http://server1/
https://www.foo.com/mail/ -> http://server2/exchange/
There are some commercial products out there too, including features
built-in to a proxy firewall (like CyberGuard) or load balancer (F5
BigIP...newest release I think)
Erik
-----Original Message-----
From: firewall-wizards-admin@honor.icsalabs.com
[mailto:firewall-wizards-admin@honor.icsalabs.com] On Behalf Of Sigurd
Urdahl
Sent: Friday, March 05, 2004 2:20 PM
To: firewall-wizards@honor.icsalabs.com
Subject: [fw-wiz] HTTPS proxy solutions
Hi all,
does anyone know of commercially or freely available https proxies
that terminates the SSL traffic, thus allows for content scanning of
the traffic?
I'm aware that such a solution need to generate certificates that the
clients accept.
What I'm thinking of is a proxy that gathers information about name
resolution done by clients and use that to generate a SSL certificates
for each connection.
E.g if the proxy gets a connection from IP a.b.c.d from host w.x.y.z,
it and, by some kind of magical glue, can figure out that host w.x.y.z
recently was given the information that host www.foo.com is at
a.b.c.d, it can also give the client a certificate for www.foo.com.
The connection can then quite easily be scanned and proxied to
www.foo.com.
As long as the issuing CA is trusted by the clients (which should be
quite easy to implement), the proxy would should be transparent to the
end-users.
So does anyone know of solutions either technically or functionally
equivalent ot this?
Or have I just overlooked something obvious and presented another
fundamentally flawed idea for a HTTPS proxy? (I hope not:-)
kind regards,
-sig
-- Sigurd Urdahl sigurdur@linpro.no Systemkonsulent og sånt Systems consultant and such Linpro A/S http://www.linpro.no/ _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards@honor.icsalabs.com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Stiennon,Richard: "RE: [fw-wiz] AIM to iChat AV"
- In reply to: Sigurd Urdahl: "[fw-wiz] HTTPS proxy solutions"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
