?
Solved

SSL Tunnel via reverse proxy

Posted on 2013-11-02
11
Medium Priority
?
1,804 Views
Last Modified: 2014-10-21
Hi,
We are building a reverse proxy and we want the client to have an SSL tunnel connection with the server. In other words, the client will connect to the reverse proxy and the reverse proxy will connect between the client and the server without decryption of the SSL message.

Client (SSL) -> reverse proxy (Tunnel) -> Server (and vice versa)

Searching the web I saw that IIS does not support this option (which could be an easy solution)... but maybe I missed something...? In general we are looking for a free solution which will be a simple as possible (maybe apache or java proxy server if they are free).
Please advice on the subject .
Thanks in advance,
Mashuf
0
Comment
Question by:mashuf1976
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
  • 2
11 Comments
 
LVL 64

Expert Comment

by:btan
ID: 39619840
You can create a Reverse Proxy with IIS 7 using the URL Rewrite Module 2 and the Application Request Routing Module (ARR). I didn't try it myself but the following link should be able to solve your problem:

Reverse Proxy with URL Rewrite v2 and Application Request Routing
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

also mentioned in this - http://forums.iis.net/t/1188569.aspx

but normally any Microsoft TMG (s/w) and specific application delivery controller (h/w)should be preferable as SSL offloading will be better dedicated with another server and better appliance (with also function as load balancer). Doing SSL to backend webserver and SSL to client browser (etc) will be demanding in resource for the reverse proxy.
0
 

Author Comment

by:mashuf1976
ID: 39619881
Hi,

thanks, but I think this does not solve the problem. I am looking for a solution in which the client connects with an SSL to an internal server through an internet proxy , without decryption of the message in the proxy. The proxy should only help to establish an SSL connection between the client and the internal server (without seeing the message). The IIS requires a certificate for the 443 port which means the message will be decrypted before the URL rewrite will be activated...

As far as I know TMG is not a freeware, and we are looking for a free solution at this stage.

Perhaps there other alternatives?
0
 
LVL 64

Accepted Solution

by:
btan earned 1200 total points
ID: 39620533
If you do not need decrypt then it is like proxying traffic as per normal. May want to take a look at squid. Also it has ssl transparent and MITM.
http://wiki.squid-cache.org/Features/SslBump
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
LVL 79

Assisted Solution

by:arnold
arnold earned 800 total points
ID: 39621279
If you need an SSL tunnel, use stunnel.
Not a reverse proxy with a configuration where the SSL connection terminates on the proxy secures the server from a direct attack.

You want the reverse proxy to function as a pass through.
You are not specifying a platform, here is an example, discussion.
http://wiki.squid-cache.org/Features/HTTPS
0
 

Author Comment

by:mashuf1976
ID: 39621488
Thanks Arnold, I am using windows server 2008 platform .
"stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server"
it seems like the stunnel is more than a wrapper than a pure tunnel...

This sites demonstrate better my needs:
1.
http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.websphere.edge.doc%2Fedge%2Fcp%2Fadmingd119.htm
2.
http://docs.oracle.com/cd/E19575-01/821-0053/adyef/index.html

However - they are not free!
and we're looking for a free solution :)...

perhaps any other alternatives?
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1200 total points
ID: 39621524
Maybe check out pound..
http://www.apsis.ch/pound
0
 
LVL 64

Assisted Solution

by:btan
btan earned 1200 total points
ID: 39621543
Nginx considerations. .but free one really not as reliable so far due to the code maintenance
http://nginx.org/en/

I was thinking if certain budgeted package may be of interest though I know it is hitting the wall and your limit
http://www.kousec.com/orenosv/orenosp_en.html
0
 
LVL 79

Assisted Solution

by:arnold
arnold earned 800 total points
ID: 39621776
squid is a free solution.
There is a similar configuration for apache to function as a reverse proxy,

Given that both references include caching,
you can terminate the SSL connection on the suid reverse proxy which is configured to access the server behind it as an https
i.e. the data can only be observed on the proxy itself
compared to a reverse proxy on which SSL connection terminates and the request to the server behind it goes unencrypted (traffic can be observed on the network if someone plugs into the common switch).

Presumably, you do not want the client accessing the proxy via an insecure mode.
0
 

Author Comment

by:mashuf1976
ID: 39623669
Thanks for all of the suggestions and your time :).
I will look into  the squid, apache and the freewares.
0

Featured Post

Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The recent Petya-like ransomware attack served a big blow to hundreds of banks, corporations and government offices The Acronis blog takes a closer look at this damaging worm to see what’s behind it – and offers up tips on how you can safeguard your…
Will you be ready when the clock on GDPR compliance runs out? Is GDPR even something you need to worry about? Find out more about the upcoming regulation changes and download our comprehensive GDPR checklist today !
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, just open a new email message. In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question