RE: SSL Reverse Proxy
From: Lucas Zaichkowsky (Lucas_at_dnsys.com)
Date: 04/29/03
- Previous message: Tomas Wolf: "Re: UNTRUSTED signature in GPG"
- Maybe in reply to: Andrea Cogliati: "SSL Reverse Proxy"
- Next in thread: Daniel Williams: "Re: SSL Reverse Proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: Andrea Cogliati <AndreaC@gotech.it>, security-basics@securityfocus.com Date: Tue, 29 Apr 2003 09:43:51 -0500
You can install the certificate on both servers. The clients will only be
looking at the host name along with the CA signature to determine validity.
There's nothing tying a certificate to the IP.
To do what you want with Microsoft ISA, you'll need to install the
certificate and private key on the ISA server. Then, setup rules to forward
traffic based off the URL.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechn
ol/isa/proddocs/isadocs/M_P_C_WebPubRule.asp
If you want the SSL tunnel to go all the way to the web servers, you'll need
to install the certificate and private key on both servers and find a load
balancer that can redirect by URL. Personally, I don't know of a load
balancer that does this, but I'd imagine that the feature isn't too unusual.
-Lucas
-----Original Message-----
From: Andrea Cogliati [mailto:AndreaC@gotech.it]
Sent: Monday, April 28, 2003 6:07 AM
To: security-basics@securityfocus.com
Subject: SSL Reverse Proxy
Guys,
We are looking for a reverse-proxy supporting both http and https,
capable of terminating the client connections and redirecting the
requests based on URL (something like MS ISA); caching would be nice to
have but, definitely, not mandatory; must run on OpenBSD and/or Linux.
We already know the security implications of this approach. We basically
need to share the same SSL certificate and the same DNS name between two
different servers. That is, https://mydomain.com/appA and
https://mydomain.com/appB, where requests to the first URL will be
handled by server A, and those to the latter by server B. Any hints?
Thank you in advance for any advice.
Andrea
---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the
world's premier event for IT and network security experts. The two-day
Training features 6 hand-on courses on May 12-13 taught by professionals.
The two-day Briefings on May 14-15 features 24 top speakers with no vendor
sales pitches. Deadline for the best rates is April 25. Register today to
ensure your place. http://www.securityfocus.com/BlackHat-security-basics
----------------------------------------------------------------------------
---------------------------------------------------------------------------
FastTrain has your solution for a great CISSP Boot Camp. The industry's most
recognized corporate security certification track, provides a comprehensive
prospectus based upon the core principle concepts of security. This ALL INCLUSIVE curriculum utilizes lectures, case studies and true hands-on utilization
of pertinent security tools. For a limited time you can enter for a chance
to win one of the latest technological innovations, the SEGWAY HT.
Log onto http://www.securityfocus.com/FastTrain-security-basics
----------------------------------------------------------------------------
- Previous message: Tomas Wolf: "Re: UNTRUSTED signature in GPG"
- Maybe in reply to: Andrea Cogliati: "SSL Reverse Proxy"
- Next in thread: Daniel Williams: "Re: SSL Reverse Proxy"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
