Improve company productivity with a Business Account.Sign Up

x
?
Solved

SSL Tunnel via reverse proxy

Posted on 2013-11-02
11
Medium Priority
?
2,109 Views
Last Modified: 2014-10-21
Hi,
We are building a reverse proxy and we want the client to have an SSL tunnel connection with the server. In other words, the client will connect to the reverse proxy and the reverse proxy will connect between the client and the server without decryption of the SSL message.

Client (SSL) -> reverse proxy (Tunnel) -> Server (and vice versa)

Searching the web I saw that IIS does not support this option (which could be an easy solution)... but maybe I missed something...? In general we are looking for a free solution which will be a simple as possible (maybe apache or java proxy server if they are free).
Please advice on the subject .
Thanks in advance,
Mashuf
0
Comment
Question by:mashuf1976
  • 4
  • 3
  • 2
9 Comments
 
LVL 66

Expert Comment

by:btan
ID: 39619840
You can create a Reverse Proxy with IIS 7 using the URL Rewrite Module 2 and the Application Request Routing Module (ARR). I didn't try it myself but the following link should be able to solve your problem:

Reverse Proxy with URL Rewrite v2 and Application Request Routing
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

also mentioned in this - http://forums.iis.net/t/1188569.aspx

but normally any Microsoft TMG (s/w) and specific application delivery controller (h/w)should be preferable as SSL offloading will be better dedicated with another server and better appliance (with also function as load balancer). Doing SSL to backend webserver and SSL to client browser (etc) will be demanding in resource for the reverse proxy.
0
 

Author Comment

by:mashuf1976
ID: 39619881
Hi,

thanks, but I think this does not solve the problem. I am looking for a solution in which the client connects with an SSL to an internal server through an internet proxy , without decryption of the message in the proxy. The proxy should only help to establish an SSL connection between the client and the internal server (without seeing the message). The IIS requires a certificate for the 443 port which means the message will be decrypted before the URL rewrite will be activated...

As far as I know TMG is not a freeware, and we are looking for a free solution at this stage.

Perhaps there other alternatives?
0
 
LVL 66

Accepted Solution

by:
btan earned 1200 total points
ID: 39620533
If you do not need decrypt then it is like proxying traffic as per normal. May want to take a look at squid. Also it has ssl transparent and MITM.
http://wiki.squid-cache.org/Features/SslBump
0
Building an Effective Phishing Protection Program

Join Director of Product Management Todd OBoyle on April 26th as he covers the key elements of a phishing protection program. Whether you’re an old hat at phishing education or considering starting a program -- we'll discuss critical components that should be in any program.

 
LVL 82

Assisted Solution

by:arnold
arnold earned 800 total points
ID: 39621279
If you need an SSL tunnel, use stunnel.
Not a reverse proxy with a configuration where the SSL connection terminates on the proxy secures the server from a direct attack.

You want the reverse proxy to function as a pass through.
You are not specifying a platform, here is an example, discussion.
http://wiki.squid-cache.org/Features/HTTPS
0
 

Author Comment

by:mashuf1976
ID: 39621488
Thanks Arnold, I am using windows server 2008 platform .
"stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server"
it seems like the stunnel is more than a wrapper than a pure tunnel...

This sites demonstrate better my needs:
1.
http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.websphere.edge.doc%2Fedge%2Fcp%2Fadmingd119.htm
2.
http://docs.oracle.com/cd/E19575-01/821-0053/adyef/index.html

However - they are not free!
and we're looking for a free solution :)...

perhaps any other alternatives?
0
 
LVL 66

Assisted Solution

by:btan
btan earned 1200 total points
ID: 39621524
Maybe check out pound..
http://www.apsis.ch/pound
0
 
LVL 66

Assisted Solution

by:btan
btan earned 1200 total points
ID: 39621543
Nginx considerations. .but free one really not as reliable so far due to the code maintenance
http://nginx.org/en/

I was thinking if certain budgeted package may be of interest though I know it is hitting the wall and your limit
http://www.kousec.com/orenosv/orenosp_en.html
0
 
LVL 82

Assisted Solution

by:arnold
arnold earned 800 total points
ID: 39621776
squid is a free solution.
There is a similar configuration for apache to function as a reverse proxy,

Given that both references include caching,
you can terminate the SSL connection on the suid reverse proxy which is configured to access the server behind it as an https
i.e. the data can only be observed on the proxy itself
compared to a reverse proxy on which SSL connection terminates and the request to the server behind it goes unencrypted (traffic can be observed on the network if someone plugs into the common switch).

Presumably, you do not want the client accessing the proxy via an insecure mode.
0
 

Author Comment

by:mashuf1976
ID: 39623669
Thanks for all of the suggestions and your time :).
I will look into  the squid, apache and the freewares.
0

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

In computing, Vulnerability assessment and penetration testing are used to assess systems in light of the organization's security posture, but they have different purposes.
The intent of this article is not to tell you what solution to use (you know it better) or make a big bang change to your current regime (you are well aware of), but to share how the regime can be better and effective in streamlining the multiple pa…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
This video Micro Tutorial shows how to password-protect PDF files with free software. Many software products can do this, such as Adobe Acrobat (but not Adobe Reader), Nuance PaperPort, and Nuance Power PDF, but they are not free products. This vide…

584 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question