Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1886
  • Last Modified:

SSL Tunnel via reverse proxy

Hi,
We are building a reverse proxy and we want the client to have an SSL tunnel connection with the server. In other words, the client will connect to the reverse proxy and the reverse proxy will connect between the client and the server without decryption of the SSL message.

Client (SSL) -> reverse proxy (Tunnel) -> Server (and vice versa)

Searching the web I saw that IIS does not support this option (which could be an easy solution)... but maybe I missed something...? In general we are looking for a free solution which will be a simple as possible (maybe apache or java proxy server if they are free).
Please advice on the subject .
Thanks in advance,
Mashuf
0
mashuf1976
Asked:
mashuf1976
  • 4
  • 3
  • 2
5 Solutions
 
btanExec ConsultantCommented:
You can create a Reverse Proxy with IIS 7 using the URL Rewrite Module 2 and the Application Request Routing Module (ARR). I didn't try it myself but the following link should be able to solve your problem:

Reverse Proxy with URL Rewrite v2 and Application Request Routing
http://www.iis.net/learn/extensions/url-rewrite-module/reverse-proxy-with-url-rewrite-v2-and-application-request-routing

also mentioned in this - http://forums.iis.net/t/1188569.aspx

but normally any Microsoft TMG (s/w) and specific application delivery controller (h/w)should be preferable as SSL offloading will be better dedicated with another server and better appliance (with also function as load balancer). Doing SSL to backend webserver and SSL to client browser (etc) will be demanding in resource for the reverse proxy.
0
 
mashuf1976Author Commented:
Hi,

thanks, but I think this does not solve the problem. I am looking for a solution in which the client connects with an SSL to an internal server through an internet proxy , without decryption of the message in the proxy. The proxy should only help to establish an SSL connection between the client and the internal server (without seeing the message). The IIS requires a certificate for the 443 port which means the message will be decrypted before the URL rewrite will be activated...

As far as I know TMG is not a freeware, and we are looking for a free solution at this stage.

Perhaps there other alternatives?
0
 
btanExec ConsultantCommented:
If you do not need decrypt then it is like proxying traffic as per normal. May want to take a look at squid. Also it has ssl transparent and MITM.
http://wiki.squid-cache.org/Features/SslBump
0
 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

 
arnoldCommented:
If you need an SSL tunnel, use stunnel.
Not a reverse proxy with a configuration where the SSL connection terminates on the proxy secures the server from a direct attack.

You want the reverse proxy to function as a pass through.
You are not specifying a platform, here is an example, discussion.
http://wiki.squid-cache.org/Features/HTTPS
0
 
mashuf1976Author Commented:
Thanks Arnold, I am using windows server 2008 platform .
"stunnel program is designed to work as an SSL encryption wrapper between remote client and local (inetd-startable) or remote server"
it seems like the stunnel is more than a wrapper than a pure tunnel...

This sites demonstrate better my needs:
1.
http://pic.dhe.ibm.com/infocenter/wasinfo/v6r1/index.jsp?topic=%2Fcom.ibm.websphere.edge.doc%2Fedge%2Fcp%2Fadmingd119.htm
2.
http://docs.oracle.com/cd/E19575-01/821-0053/adyef/index.html

However - they are not free!
and we're looking for a free solution :)...

perhaps any other alternatives?
0
 
btanExec ConsultantCommented:
Maybe check out pound..
http://www.apsis.ch/pound
0
 
btanExec ConsultantCommented:
Nginx considerations. .but free one really not as reliable so far due to the code maintenance
http://nginx.org/en/

I was thinking if certain budgeted package may be of interest though I know it is hitting the wall and your limit
http://www.kousec.com/orenosv/orenosp_en.html
0
 
arnoldCommented:
squid is a free solution.
There is a similar configuration for apache to function as a reverse proxy,

Given that both references include caching,
you can terminate the SSL connection on the suid reverse proxy which is configured to access the server behind it as an https
i.e. the data can only be observed on the proxy itself
compared to a reverse proxy on which SSL connection terminates and the request to the server behind it goes unencrypted (traffic can be observed on the network if someone plugs into the common switch).

Presumably, you do not want the client accessing the proxy via an insecure mode.
0
 
mashuf1976Author Commented:
Thanks for all of the suggestions and your time :).
I will look into  the squid, apache and the freewares.
0

Featured Post

 The Evil-ution of Network Security Threats

What are the hacks that forever changed the security industry? To answer that question, we created an exciting new eBook that takes you on a trip through hacking history. It explores the top hacks from the 80s to 2010s, why they mattered, and how the security industry responded.

  • 4
  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now