|
/
Zope
/
Apsis
/
Pound Mailing List
/
Archive
/
2009
/
2009-07
/
Re: Pound as HTTPS / HTTPS proxy
[
Invalid characters in X-SSL-Subject/Issuer / ... ]
[
AddHeader for ListenHTTP / Kaye Ng ... ]
Re: Pound as HTTPS / HTTPS proxy
Heiko Schlittermann <hs(at)schlittermann.de> |
2009-07-09 22:00:19 |
[ FULL ]
|
Hello,
here is the conversation with Robert I had so far about using
pound as an HTTPS / HTTPS proxy. He asked me for the reason(s) wanting
this MITM approach.
Robert Segall <roseg(at)apsis.ch> (Do 09 Jul 2009 18:14:14 CEST):[...]
The backend is an Microsoft-Webaccess (at least that's what the customer
told me). It's already set up as an HTTPS server and I don't want to
ask them for any change (their and my limited knowledge about what do
change in the MS system). I'm not sure about the application sending
self referencing URLs, not only as Redirects (these I could rewrite,
using Pound AFAIK), but sending links with self referencing full URLs.
This backend is protected by a Linux firewall. Just forwarding the HTTPS
port (traffic) to the backend is a poor solution, because they asked us
to limit the access to a specific URL pattern. So, my idea was the MITM
approach, I got the SSL key and cert and thought to use Pound to
decrcypt/check/sanitize the traffic and then connect via HTTPS to the
backend.
Probably squid is able to do this (needs to be compiled "--using-ssl")
and probably Apaches mod_proxy could be used. Both solutions are not
checked yet, since I like the lean approach of Pound, compared with
these two "fat" applications.
(The current setup we're testing uses an stunnel connection to the
backend...)
Any ideas and opinions are welcome.
Best regards from Dresden/Germany
Viele Grüße aus Dresden
Heiko Schlittermann[...]
|
|
|
|
|
Re: [Pound Mailing List] Re: Pound as HTTPS / HTTPS proxy
Heiko Schlittermann <hs(at)schlittermann.de> |
2009-07-10 23:32:31 |
[ FULL ]
|
Hello,
now I'm answering myself.
Heiko Schlittermann <hs(at)schlittermann.de> (Do 09 Jul 2009 22:00:19
CEST):[...]
...[...]
Just for the records:
client -- { internet } --- [ pound | stunnel ] ------- [ backend ]
https://<domain>/path
https://<domain>/path
works for me. But I'd like to see the stunnel integrated in pound (for
admin purposes).
Heiko[...]
|
|
|
|
|
Re: [Pound Mailing List] Re: Pound as HTTPS / HTTPS proxy
=?utf-8?Q?Eirik_=C3=98verby?= <eirik.overby(at)modirum.com> |
2009-07-11 17:47:25 |
[ FULL ]
|
This functionality is required for PCI-DSS compliance in any scenario
where pound and the backend do NOT reside on the same server (i.e. the
traffic is not allowed to hit the wire unencrypted).
/Eirik
Sent from my iPhone
On 10. juli 2009, at 23.32, Heiko Schlittermann <hs(at)schlittermann.de>
wrote:
[...][...][...][...][...]
|
|
|
Re: [Pound Mailing List] Re: Pound as HTTPS / HTTPS proxy
Thomas Baxter <thomas.baxter(at)gelaskins.com> |
2009-07-13 20:18:46 |
[ FULL ]
|
unsubscribe
2009/7/11 Eirik Øverby <eirik.overby(at)modirum.com>
[...][...]
>>>
>>> here is the conversation with Robert I had so far about using
>>> pound as an HTTPS / HTTPS proxy. He asked me for the reason(s)
wanting
>>> this MITM approach.
>>>[...]
>>> checked yet, since I like the lean approach of Pound, compared
with
>>> these two "fat" applications.
>>>
>>> (The current setup we're testing uses an stunnel connection to the
>>> backend...)
>>>[...][...]
|
|
|
|
|
Re: [Pound Mailing List] Re: Pound as HTTPS / HTTPS proxy
Mattias Berge <mattiasb(at)travellab.com> |
2009-07-20 10:24:19 |
[ FULL ]
|
As I understand it, that's only a requirement when sending the data over
open networks.
See Requirement 4.1
2009/7/11 Eirik Øverby <eirik.overby(at)modirum.com>
[...][...]
>>>
>>> here is the conversation with Robert I had so far about using
>>> pound as an HTTPS / HTTPS proxy. He asked me for the reason(s)
wanting
>>> this MITM approach.
>>>[...]
>>> checked yet, since I like the lean approach of Pound, compared
with
>>> these two "fat" applications.
>>>
>>> (The current setup we're testing uses an stunnel connection to the
>>> backend...)
>>>[...][...]
[...]
|
|
|
|
|
Re: [Pound Mailing List] Re: Pound as HTTPS / HTTPS proxy
=?utf-8?Q?Eirik_=C3=98verby?= <eirik.overby(at)modirum.com> |
2009-07-20 11:08:52 |
[ FULL ]
|
Not quite. All auditors I've encountered have refused to accept it
without strong compensating controls.
Plus, other requirements from Visa (non-PCI) require encryption even
locally.
/Eirik
Sent from my iPhone
On 20. juli 2009, at 10.24, Mattias Berge <mattiasb(at)travellab.com>
wrote:
[...][...]
>>>
>>> now I'm answering myself.
>>>
>>> Heiko Schlittermann <hs(at)schlittermann.de> (Do 09 Jul 2009
22:00:19
>>> CEST):
>>>
>>>> Hello,
>>>>
>>>> here is the conversation with Robert I had so far about using
>>>> pound as an HTTPS / HTTPS proxy. He asked me for the reason(s)
>>>> wanting
>>>> this MITM approach.
>>>>
>>>
>>> ...
>>>
>>>> and probably Apaches mod_proxy could be used. Both solutions
are
>>>> not
>>>> checked yet, since I like the lean approach of Pound, compared
with
>>>> these two "fat" applications.
>>>>
>>>> (The current setup we're testing uses an stunnel connection to
the
>>>> backend...)
>>>>
>>>
>>> Just for the records:
>>>
>>> client -- { internet } --- [ pound | stunnel ] ------- [ backend
]
>>> https://<domain>/path
https://<domain>/
>>> path
>>>
>>>
>>> works for me. But I'd like to see the stunnel integrated in pound
>>> (for
>>> admin purposes).
>>>
>>> Heiko
>>> --
>>> SCHLITTERMANN.de ---------------------------- internet & unix
>>> support -
>>> Heiko Schlittermann HS12-RIPE
>>> -----------------------------------------
>>> gnupg encrypted messages are welcome - key ID: 48D0359B
>>> ---------------
>>> gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0
>>> 359B -
>>>
>>>
>>> --
>>> To unsubscribe send an email with subject unsubscribe to
pound(at)apsis.ch
>>> .
>>> Please contact roseg(at)apsis.ch for questions.
>>>[...][...]
|
|
|
|
