1

I'm configuring a DMZ which has the following Scheme:

Internet - Server A - Security Appliance - Server B - Intranet

In this DMZ I need a Proxy server for http(s) connections from the Intranet to Internet. The Problem is, that all Traffic should be scanned by the Security Appliance. For this I have to terminate the SSL Connection at Server B, proxy it as plain http to Server A through the Security Appliance and then further as https into the Internet. An encryption is then persistent between the Client and Server B and the Target Server and Server A. The communication between Server A and Server B is unencrypted. I know about the security risks and that the client will see some warning about the unknown CA of Server B's certificate.

As Software I want to use Apache Web Servers on Server A and Server B.

As first step I tried to configure Server B that it serves as endpoint for the SSL Encryption. So it has to establish the encryption with the client (answering HTTP CONNECT).

Listen 8443
<VirtualHost *:8443>
    ProxyRequests On
    ProxyPreserveHost On
    AllowCONNECT 443
    # SSL
    ErrorLog logs/ssl_error_log
    TransferLog logs/ssl_access_log
    LogLevel debug
    SSLProxyEngine on
    SSLProxyMachineCertificateFile /etc/pki/tls/certs/localhost_private_public.crt
    <Proxy *>
        Order deny,allow
        Deny from all
        Allow from 192.168.0.0/22
    </Proxy>
</VirtualHost>

With this Proxy only the CONNECT request is passed through and an encrypted Connection between the client and the target is established. Unfortunately there is no possibility to configure mod_proxy_connect to decrypt the SSL connection. Is there any possibility to accomplish that kind of proxying with Apache?

Khaled
  • 36,533
  • 8
  • 72
  • 99
user1109542
  • 21
  • 1
  • 4

2 Answers2

2

What you're trying to implement is an official SSL MITM proxy ("official" as opposed to attacker). I don't think Apache Httpd has the ability to do this (and re-generate a certificate with the right identity on the fly).

There are products that implement this. A quick search leads to these links:

Bruno
  • 4,099
  • 1
  • 21
  • 37
1

I came to the conclusion that it might be possible, using mod_rewrite and a virtual host which serves as reverse proxy. The connection comes in at the forward proxy and rewrites the URL to a virtual host (on server B) + writes the original URL into the HTTP header. The virtualhost serves as SSL endpoint and reverse proxy and forwards the request unencrypted to Server A (through the security appliance). Server A rewrites the target URL to the original one and forwards to it. I will try that out the next days and let you know whether it worked out. If not I will discuss of using squid with sslbump for this.

Thanks for the answer so far!

user1109542
  • 21
  • 1
  • 4
  • (Perhaps you should use comments, if you're not familiar with the StackOverflow/Stackexchange format of discussion, as opposed to a forum.) – Bruno Dec 22 '11 at 13:22
  • The problem you will have, if you want to monitor access to each and every site your users want to connect to, is that you're going to have to re-generate a certificate on the fly to match each required host name (in addition to importing your own CA cert into your users's browsers). Otherwise, they'll get warnings in the browser (which they should not ignore). – Bruno Dec 22 '11 at 13:24
  • I wrote an answer instead of a comment because I thought it's some kind of answer to my question ;-) – user1109542 Dec 22 '11 at 15:38
  • If I rewrite the URL, I suppose I'll have always the same endpoint, so the same certificate will match or do I understand that wrong? Anyway I just got told that there are no Browser clients but Application clients in the Intranet so an Address mismatch wouldn't matter that much, but we are tending now to use the squid way as squid is meant for this matter and definitly the cleaner solution... – user1109542 Dec 22 '11 at 15:40
  • It's not a matter of browser v.s. apps: if your client doesn't check (a) it trusts the cert (which you can spoof officially by installing your own CA certs) and (b) the cert is for the intended host name, it's not designed to be secure. If it's purely in the intranet and your proxy does the proper verif., it might work, but this is an awkward design. It also sounds like there are going to be issues with the names overlapping (if you rewrite them all to the same host). Not sure how you're going to rewrite with Apache: `CONNECT` is normally purely pass-through (unless MITM like Squid/SSL bump). – Bruno Dec 22 '11 at 17:31
  • Thanks a lot for clearing that up to me. I will use that Squid solution :-) – user1109542 Dec 23 '11 at 06:08