Solved

SSL Tunnel via reverse proxy

Posted on 2013-11-02
11
1,465 Views
Last Modified: 2014-10-21
Hi,
We are building a reverse proxy and we want the client to have an SSL tunnel connection with the server. In other words, the client will connect to the reverse proxy and the reverse proxy will connect between the client and the server without decryption of the SSL message.

Client (SSL) -> reverse proxy (Tunnel) -> Server (and vice versa)

Searching the web I saw that IIS does not support this option (which could be an easy solution)... but maybe I missed something...? In general we are looking for a free solution which will be a simple as possible (maybe apache or java proxy server if they are free).
Please advice on the subject .
Thanks in advance,
Mashuf
0
Comment
Question by:mashuf1976
  • 4
  • 3
  • 2
11 Comments
 
LVL 62

Expert Comment

by:btan
ID: 39619840
You can create a Reverse Proxy with IIS 7 using the URL Rewrite Module 2 and the Application Request Routing Module (ARR). I didn't try it myself but the following link should be able to solve your problem:

Reverse Proxy with URL Rewrite v2 and Application Request Routing
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

also mentioned in this - http://forums.iis.net/t/1188569.aspx

but normally any Microsoft TMG (s/w) and specific application delivery controller (h/w)should be preferable as SSL offloading will be better dedicated with another server and better appliance (with also function as load balancer). Doing SSL to backend webserver and SSL to client browser (etc) will be demanding in resource for the reverse proxy.
0
 

Author Comment

by:mashuf1976
ID: 39619881
Hi,

thanks, but I think this does not solve the problem. I am looking for a solution in which the client connects with an SSL to an internal server through an internet proxy , without decryption of the message in the proxy. The proxy should only help to establish an SSL connection between the client and the internal server (without seeing the message). The IIS requires a certificate for the 443 port which means the message will be decrypted before the URL rewrite will be activated...

As far as I know TMG is not a freeware, and we are looking for a free solution at this stage.

Perhaps there other alternatives?
0
 
LVL 62

Accepted Solution

by:
btan earned 300 total points
ID: 39620533
If you do not need decrypt then it is like proxying traffic as per normal. May want to take a look at squid. Also it has ssl transparent and MITM.
http://wiki.squid-cache.org/Features/SslBump
0
Comprehensive Backup Solutions for Microsoft

Acronis protects the complete Microsoft technology stack: Windows Server, Windows PC, laptop and Surface data; Microsoft business applications; Microsoft Hyper-V; Azure VMs; Microsoft Windows Server 2016; Microsoft Exchange 2016 and SQL Server 2016.

 
LVL 77

Assisted Solution

by:arnold
arnold earned 200 total points
ID: 39621279
If you need an SSL tunnel, use stunnel.
Not a reverse proxy with a configuration where the SSL connection terminates on the proxy secures the server from a direct attack.

You want the reverse proxy to function as a pass through.
You are not specifying a platform, here is an example, discussion.
http://wiki.squid-cache.org/Features/HTTPS
0
 

Author Comment

by:mashuf1976
ID: 39621488
Thanks Arnold, I am using windows server 2008 platform .
"stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server"
it seems like the stunnel is more than a wrapper than a pure tunnel...

This sites demonstrate better my needs:
1.
http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.websphere.edge.doc%2Fedge%2Fcp%2Fadmingd119.htm
2.
http://docs.oracle.com/cd/E19575-01/821-0053/adyef/index.html

However - they are not free!
and we're looking for a free solution :)...

perhaps any other alternatives?
0
 
LVL 62

Assisted Solution

by:btan
btan earned 300 total points
ID: 39621524
Maybe check out pound..
http://www.apsis.ch/pound
0
 
LVL 62

Assisted Solution

by:btan
btan earned 300 total points
ID: 39621543
Nginx considerations. .but free one really not as reliable so far due to the code maintenance
http://nginx.org/en/

I was thinking if certain budgeted package may be of interest though I know it is hitting the wall and your limit
http://www.kousec.com/orenosv/orenosp_en.html
0
 
LVL 77

Assisted Solution

by:arnold
arnold earned 200 total points
ID: 39621776
squid is a free solution.
There is a similar configuration for apache to function as a reverse proxy,

Given that both references include caching,
you can terminate the SSL connection on the suid reverse proxy which is configured to access the server behind it as an https
i.e. the data can only be observed on the proxy itself
compared to a reverse proxy on which SSL connection terminates and the request to the server behind it goes unencrypted (traffic can be observed on the network if someone plugs into the common switch).

Presumably, you do not want the client accessing the proxy via an insecure mode.
0
 

Author Comment

by:mashuf1976
ID: 39623669
Thanks for all of the suggestions and your time :).
I will look into  the squid, apache and the freewares.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
February 24, 2017 — On February 23, Travis Ormandy, a vulnerability researcher at Google, reported on Twitter (https://twitter.com/taviso/status/834900838837411840) that massive stores of data have been leaked by CloudFlare, a company that provide…
Email security requires an ever evolving service that stays up to date with counter-evolving threats. The Email Laundry perform Research and Development to ensure their email security service evolves faster than cyber criminals. We apply our Threat…
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

821 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question