[mod-security-users] transparent proxy support in Apache?
Brought to you by:
victorhora,
zimmerletw
From: Jason H. <Jas...@tr...> - 2007-08-01 19:19:59
|
Hi there I'm making a WAF (Web Application Firewall) based around Linux/Apache and mod_security, and as part of the design, thought that making it a transparent (reverse) proxy would be a good move from a disaster recovery perspective (i.e. if it blew up you could just wire around it and the backends would still be available). Anyway, I did some quick tests with Apache (2.2.4) and found that it really has no transparent proxy support? I can get the iptables rules in place to redirect traffic meant for other servers to terminate on it - but Apache reads them all as connections to itself - i.e. the VirtualHosts don't kick in correctly. Also, the WAF would primarily be used to protect HTTPS sites. Now I know "you can't transparently proxy HTTPS" is the mantra - but that's not quite true from what I know. I mean, this would be an "official" WAF - so it would have copies of the server certs used on the real backends - so it could actually do a successful "man-in-the-middle". But again it relies on Apache to be able to glean information about the real destination IP addresses so that it could map connections through to the real backend server. I guess Apache would need a "VirtualListen" option... I've done this successfully with Squid as a normal proxy, but I really need the funky features of Apache as a reverse-proxy - but I want transparency too... Is it doable? Thanks! -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 -- Cheers Jason Haar Information Security Manager, Trimble Navigation Ltd. Phone: +64 3 9635 377 Fax: +64 3 9635 417 PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1 |