Hi there I'm making a WAF (Web Application Firewall) based around Linux/Apache and mod_security, and as part of the design, thought that making it a transparent (reverse) proxy would be a good move from a disaster recovery perspective (i.e. if it blew up you could just wire around it and the backends would still be available). Anyway, I did some quick tests with Apache (2.2.4) and found that it really has no transparent proxy support? I can get the iptables rules in place to redirect traffic meant for other servers to terminate on it - but Apache reads them all as connections to itself - i.e. the VirtualHosts don't kick in correctly. Also, the WAF would primarily be used to protect HTTPS sites. Now I know "you can't transparently proxy HTTPS" is the mantra - but that's not quite true from what I know. I mean this would be an "official" WAF - so it would have copies of the server certs used on the real backends - so it could actually do a successful "man-in-the-middle". But again it relies on Apache to be able to glean information about the real destination IP addresses so that it could map connections through to the real backend server. I guess Apache would need a "VirtualListen" option... I've done this successfully with Squid as a normal proxy, but I really need the funky features of Apache as a reverse-proxy - but I want transparency too... Is it doable? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx " from the digest: users-digest-unsubscribe@xxxxxxxxxxxxxxxx For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx
|