RE: Penetrating a reverse proxy

From: Ivan Coric (ivan.coric@workcoverqld.com.au)
Date: 05/24/02


Date: Fri, 24 May 2002 09:58:49 +1000
From: "Ivan Coric" <ivan.coric@workcoverqld.com.au>
To: <joemccray@hardestworkingmanonline.com>, <davidcullen@rogers.com>

Some more info on Rproxy's

http://www.ists.dartmouth.edu/IRIA/projects/jeanne.htm
http://developer.netscape.com/docs/manuals/proxy/adminux/revpxy.htm
http://home.ie.cuhk.edu.hk/~msng0/twhttpd/
http://www.monkeys.com/security/proxies/

cheers
Ivan

>>> "David Cullen" <davidcullen@rogers.com> 05/23/02 07:06am >>>
Hi Joe,

1)This article discusses the pros and cons of Reverse Proxy. Uses an Apache
Server for implementation purposes. The article may give you a few ideas:
A Reverse Proxy Is A Proxy By Any Other Name
http://rr.sans.org/web/reverse_proxy.php

2)Book: Web Proxy Servers, Ari Luotonen. ISBN: 0136806120

3)Vendor: CacheFlow.
http://www.cacheflow.com/support/config/reverse/index.cfm

Regards,
David

davidcullen@rogers.com

-----Original Message-----
From: Joe McCray [mailto:joemccray@hardestworkingmanonline.com]
Sent: May 21, 2002 9:46 AM
To: security-basics@securityfocus.com
Subject: Penetrating a reverse proxy

Having never dealt with attacking a reverse proxy, and just now
reading about the benefits of Reverse Proxy, and Secure Reverse
Proxy at:
http://developer.netscape.com/docs/manuals/proxy/adminux/revpxy.htm

Does anyone know of any good websites, books, or other material
that may be relevant for attempting to penetrate a database server
that is behind a Reverse Proxy. This concept of the reverse proxy
being able to:

Quote from the above website link-
If the content server returns an error message, the proxy server
can intercept the message and change any URLs listed in the
headers before sending the message to the client. This prevents
external clients from getting redirection URLs to the internal
content server.

I haven't been asked to attempt to penetrate the web proxy, but the
potential is there that I may be asked to attempt it in the
future. I'd like to know where I can do some reading on the
subject.

Joe McCray
CCNA, Windows 2000 MCSE
www.hardestworkingmanonline.com

________________________________________________________________
Sent via hardestworkingmanonline.com

***************************************************************************
Messages included in this e-mail and any of its attachments are those
of the author unless specifically stated to represent WorkCover Queensland.
The contents of this message are to be used for the intended purpose only
and are to be kept confidential at all times. This message may contain
privileged information directed only to the intended addressee/s.
Accidental receipt of this information should be deleted promptly
and the sender notified.

This e-mail has been scanned by Sophos for known viruses.
However, no warranty nor liability is implied in this respect.
**********************************************************************



Relevant Pages

  • RE: SSL Reverse Proxy
    ... I think Zeus Web Server, acting as reverse proxy, does it: ... Subject: SSL Reverse Proxy ... We already know the security implications of this approach. ...
    (Security-Basics)
  • RE: [fw-wiz] Outlook Web Access - Paranoid?
    ... and have your reverse proxy exposed to the ... IIS in the other DMZ segment, ... talks to your Exchange server internally ). ... IIS server only has 80 and 443 exposed to the proxy, ...
    (Firewall-Wizards)
  • Re: [fw-wiz] Allowing Internet Access to MS Project Server
    ... using Apache's reverse proxy would be easiest and very secure. ... Also part of the requirement is to avoid "ipsec vpn" like solutions. ... We have looked at this prior, but used Citrix AAC with Citrix presentation servers for another 3rd party gateway. ... --squid https web proxy server, ...
    (Firewall-Wizards)
  • RE: A Good Reverse Proxy Product
    ... a simple HTTP reverse proxy offers very little protection against ... a simple reverse proxy protects your web server (the OWA ... against attacks targeting HTTP or the web application itself. ...
    (Security-Basics)
  • Re: IIS 6 Questions
    ... Either you need a reverse proxy, for example OctaGate, Apache (apache can ... want the webserver part of it), ... Kristofer Gafvert - IIS MVP ...
    (microsoft.public.inetserver.iis)