https to https proxy search - Security

This is a discussion on https to https proxy search - Security ; I have been charged with finding a reverse proxy for our network that will do https to the client and https to the backend server as well. I see that microsoft does http bridging, but i wanted to do it ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: https to https proxy search

  1. https to https proxy search

    I have been charged with finding a reverse proxy for our network that will
    do https to the client and https to the backend server as well. I see that
    microsoft does http bridging, but i wanted to do it open source for security
    and cost effectiveness, but i cant find an open source proxy that will do
    this. I've looked into pound, squid, apache, privoxy, and transproxy. Can
    anyone suggest a proxy that will do this or should i just go with ISA? Also,
    i have to do https backend because of several cisco software packages
    installed - it is impractical to rewrite their links and code. Any ideas
    would be much appreciated.

    Brad



  2. Re: https to https proxy search

    Brad Esclavon wrote:

    > I have been charged with finding a reverse proxy for our network that will
    > do https to the client and https to the backend server as well.


    Kinda begs the question of *why* run SSL through to the servers. SSL is a
    good way to secure temporary connections across the internet but from the
    proxy to the server it's just adding a lot of overhead you don't need - a
    secure line or VPN would be a better solution for this hop.

    Stunnel will provide an SSL front-end for the proxy (Squid IME is
    excellent). I expect it's probably possible to it with Apache + SSL in
    front of (or *as*) the proxy. You could set it up to wrap the connections
    to the servers too - but as I said before it's a dumb way to solve the
    problem.

    I'm guessing you've not used used ISA much since you are still considering
    Microsoft

    HTH

    C.


  3. Re: https to https proxy search

    "Brad Esclavon" said:
    >I have been charged with finding a reverse proxy for our network that will
    >do https to the client and https to the backend server as well. I see that
    >microsoft does http bridging, but i wanted to do it open source for security
    >and cost effectiveness, but i cant find an open source proxy that will do
    >this. I've looked into pound, squid, apache, privoxy, and transproxy.


    I'm quite certain I've seen something like this done with Apache 1.3
    mod_proxy, but it had required little bit of local add-on code.
    --
    Wolf a.k.a. Juha Laiho Espoo, Finland
    (GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
    PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
    "...cancel my subscription to the resurrection!" (Jim Morrison)

  4. Re: https to https proxy search

    Colin-

    Thanks for the reply. I understand how I "should" set up a vpn or put the
    servers in a secure area, but we are trying to proxy cisco call managers
    that don't allow us to do it that way. The new 4.1 CM only allows SSL and
    does not officially support proxying. The way we temporarily enabled this is
    buy removing ssl on the CM's and using pound https->http. We have other
    software products that are going to go online soon with only https, so I
    need to find a proper way to fix it for good.

    Any other ideas would be much appreciated, escpecially why ISA is not a good
    choice (other than the obvious windows is slow and unsecure)?

    thanks- brad

    "Colin McKinnon"
    wrote in
    message news:u4JNf.14601$Ru5.7544@newsfe6-gui.ntli.net...
    > Brad Esclavon wrote:
    >
    >> I have been charged with finding a reverse proxy for our network that
    >> will
    >> do https to the client and https to the backend server as well.

    >
    > Kinda begs the question of *why* run SSL through to the servers. SSL is a
    > good way to secure temporary connections across the internet but from the
    > proxy to the server it's just adding a lot of overhead you don't need - a
    > secure line or VPN would be a better solution for this hop.
    >
    > Stunnel will provide an SSL front-end for the proxy (Squid IME is
    > excellent). I expect it's probably possible to it with Apache + SSL in
    > front of (or *as*) the proxy. You could set it up to wrap the connections
    > to the servers too - but as I said before it's a dumb way to solve the
    > problem.
    >
    > I'm guessing you've not used used ISA much since you are still considering
    > Microsoft
    >
    > HTH
    >
    > C.
    >




  5. Re: https to https proxy search

    On Mon, 06 Mar 2006 18:28:55 -0500, Brad Esclavon wrote:

    > Colin-
    >
    > Thanks for the reply. I understand how I "should" set up a vpn or put the
    > servers in a secure area, but we are trying to proxy cisco call managers
    > that don't allow us to do it that way. The new 4.1 CM only allows SSL and
    > does not officially support proxying. The way we temporarily enabled this is
    > buy removing ssl on the CM's and using pound https->http. We have other
    > software products that are going to go online soon with only https, so I
    > need to find a proper way to fix it for good.
    >
    > Any other ideas would be much appreciated, escpecially why ISA is not a good
    > choice (other than the obvious windows is slow and unsecure)?


    All you say about ISA is right, but you have a much worse problem: any
    HTTPS -> HTTPS proxying is essentially a "man in the middle". HTTPS was
    designed to allow the client (and optionally the server) to verify the
    identity of the other party. By proxying you break that and open yourself
    to someone potentially unpleasant attacks.
    --
    Mailman


    ----== Posted via Newsfeeds.Com - Unlimited-Unrestricted-Secure Usenet News==----
    http://www.newsfeeds.com The #1 Newsgroup Service in the World! 120,000+ Newsgroups
    ----= East and West-Coast Server Farms - Total Privacy via Encryption =----

+ Reply to Thread