Solved

SSL Tunnel via reverse proxy

Posted on 2013-11-02
11
1,552 Views
Last Modified: 2014-10-21
Hi,
We are building a reverse proxy and we want the client to have an SSL tunnel connection with the server. In other words, the client will connect to the reverse proxy and the reverse proxy will connect between the client and the server without decryption of the SSL message.

Client (SSL) -> reverse proxy (Tunnel) -> Server (and vice versa)

Searching the web I saw that IIS does not support this option (which could be an easy solution)... but maybe I missed something...? In general we are looking for a free solution which will be a simple as possible (maybe apache or java proxy server if they are free).
Please advice on the subject .
Thanks in advance,
Mashuf
0
Comment
Question by:mashuf1976
  • 4
  • 3
  • 2
11 Comments
 
LVL 63

Expert Comment

by:btan
ID: 39619840
You can create a Reverse Proxy with IIS 7 using the URL Rewrite Module 2 and the Application Request Routing Module (ARR). I didn't try it myself but the following link should be able to solve your problem:

Reverse Proxy with URL Rewrite v2 and Application Request Routing
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

also mentioned in this - http://forums.iis.net/t/1188569.aspx

but normally any Microsoft TMG (s/w) and specific application delivery controller (h/w)should be preferable as SSL offloading will be better dedicated with another server and better appliance (with also function as load balancer). Doing SSL to backend webserver and SSL to client browser (etc) will be demanding in resource for the reverse proxy.
0
 

Author Comment

by:mashuf1976
ID: 39619881
Hi,

thanks, but I think this does not solve the problem. I am looking for a solution in which the client connects with an SSL to an internal server through an internet proxy , without decryption of the message in the proxy. The proxy should only help to establish an SSL connection between the client and the internal server (without seeing the message). The IIS requires a certificate for the 443 port which means the message will be decrypted before the URL rewrite will be activated...

As far as I know TMG is not a freeware, and we are looking for a free solution at this stage.

Perhaps there other alternatives?
0
 
LVL 63

Accepted Solution

by:
btan earned 300 total points
ID: 39620533
If you do not need decrypt then it is like proxying traffic as per normal. May want to take a look at squid. Also it has ssl transparent and MITM.
http://wiki.squid-cache.org/Features/SslBump
0
Use Case: Protecting a Hybrid Cloud Infrastructure

Microsoft Azure is rapidly becoming the norm in dynamic IT environments. This document describes the challenges that organizations face when protecting data in a hybrid cloud IT environment and presents a use case to demonstrate how Acronis Backup protects all data.

 
LVL 78

Assisted Solution

by:arnold
arnold earned 200 total points
ID: 39621279
If you need an SSL tunnel, use stunnel.
Not a reverse proxy with a configuration where the SSL connection terminates on the proxy secures the server from a direct attack.

You want the reverse proxy to function as a pass through.
You are not specifying a platform, here is an example, discussion.
http://wiki.squid-cache.org/Features/HTTPS
0
 

Author Comment

by:mashuf1976
ID: 39621488
Thanks Arnold, I am using windows server 2008 platform .
"stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server"
it seems like the stunnel is more than a wrapper than a pure tunnel...

This sites demonstrate better my needs:
1.
http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.websphere.edge.doc%2Fedge%2Fcp%2Fadmingd119.htm
2.
http://docs.oracle.com/cd/E19575-01/821-0053/adyef/index.html

However - they are not free!
and we're looking for a free solution :)...

perhaps any other alternatives?
0
 
LVL 63

Assisted Solution

by:btan
btan earned 300 total points
ID: 39621524
Maybe check out pound..
http://www.apsis.ch/pound
0
 
LVL 63

Assisted Solution

by:btan
btan earned 300 total points
ID: 39621543
Nginx considerations. .but free one really not as reliable so far due to the code maintenance
http://nginx.org/en/

I was thinking if certain budgeted package may be of interest though I know it is hitting the wall and your limit
http://www.kousec.com/orenosv/orenosp_en.html
0
 
LVL 78

Assisted Solution

by:arnold
arnold earned 200 total points
ID: 39621776
squid is a free solution.
There is a similar configuration for apache to function as a reverse proxy,

Given that both references include caching,
you can terminate the SSL connection on the suid reverse proxy which is configured to access the server behind it as an https
i.e. the data can only be observed on the proxy itself
compared to a reverse proxy on which SSL connection terminates and the request to the server behind it goes unencrypted (traffic can be observed on the network if someone plugs into the common switch).

Presumably, you do not want the client accessing the proxy via an insecure mode.
0
 

Author Comment

by:mashuf1976
ID: 39623669
Thanks for all of the suggestions and your time :).
I will look into  the squid, apache and the freewares.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Multi Factor Authentication 3 43
Exchange2013 MAPI 6 62
Windows 10 Errors 11 66
ow do I browse the internet secretly? 6 44
Ransomware is a growing menace to anyone using a computer or mobile device. Here are answers to some common questions about this vicious new form of malware.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

740 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question