To answer your first question:
I did modify a mod-ssl (2.6.3), mod-proxy enabled Apache Web Server (1.3.12)
to intercept HTTPS requests. It worked by intercepting CONNECT requests and
then performing the SSL handshaking and proxying the request. It turned out
to be a pretty trivial code change, SO FAR. The project was cancelled before
extensive testing and before any filtering code was added. As you know,
intercepting the requests causes certificate warnings.
My code changes are not at all ready for distribution. Essentially, all I
did was "proof of concept". If you configured your browser to use my web
server as your HTTPS proxy, it would intercept it, send you a certificate
warning and then proxy your request (via HTTPS). I haven't given a great
deal of thought to where and how I'd implement filtering, but I think that
given that I intercept CONNECT requests, I'd have to do all the filtering
and processing in the proxy connect handler. Other filtering modules
wouldn't get a chance at it. There are probably ways around this, and I
think that one could intercept the request earlier, change it, and let
Apache handle it like any other proxy request, I just didn't do it that way
in this instance.
If you want more details, I'll try to dig up my code and refresh my memory.
Philosophical Thoughts Follow:
I'm sure there are those who hold strong opinions toward this type of
"man-in-the-middle" hack and can add to my list of pros and cons. But, yes,
you can do this. Our project had in mind protecting our internal network by
filtering out "dangerous" content while allowing our users to surf any site.
(Currently we manually control what HTTPS sites are opened through our
proxy.)
The cons are:
1) You train your users to ignore certificate warnings. (although I'll admit
to considering hacking our corporate browsers to stop that as well)
2) You open yourself up to potential liability issues( i.e. if your users
access their bank accounts and then claim a change was made that they didn't
do, who did it? Your administrators have access to some pretty sensitive
information.
3). You now have code that you have to update and modify yourself.
4) And, plainly. Is this the RIGHT thing to do?
The pros are:
1) I'm sure you have your own reasons.
Our project was cancelled because of resource issues, but I think it will be
back. Furthermore, I'm sure if I don't do it here someone somewhere else
will do it. Maybe you?
Deb
-----Original Message-----
From: Scott Miles [mailto:[EMAIL PROTECTED]]
Sent: September 14, 2000 9:01 PM
To: [EMAIL PROTECTED]
Subject: filtering SSL proxy?
This may sound like a strange request (and a kludge), but I need to find a
way to perform in-transit authentication and filtering based on the content
of SSL requests, along with potential dynamic modification of the SSL
request. Could modssl be used as a basis to create a type of filtering SSL
proxy? Basically I have two questions:
- Would it be possible (and even better, does anyone know if this has
already been done somewhere), to use modssl to encrypt/decrypt ssl proxy
requests so that filtering can be performed on the content? I do realize
that this would trigger browser alerts for certificate mismatches.
- Is it possible to use apache-modssl as a transparent proxy/firewall, such
that it transparently filters all connections to port 443 and proxys them?
This isn't critical, as browsers could be reconfigured to specifically point
to the proxy, but it would be helpful.
I would appreciate any comments on the level of effort it might take to
modify modssl in this way, or if there is any other code package that may be
more suited to do this type of work.
For those interested (and I'm sure some are), the intent here is to provide
access to various 3rd party web services where our support personnel need to
enter customer account numbers. Rather than have our staff handle account
numbers, we'd like to be able to let them use virtual account ids that are
dynamically replaced with the customer's actual account numbers when
transacting with the destination web site.
Thanks
Scott
[EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
