Hello, here is the conversation with Robert I had so far about using pound as an HTTPS / HTTPS proxy. He asked me for the reason(s) wanting this MITM approach.
Robert Segall <[email protected]> (Do 09 Jul 2009 18:14:14 CEST): > On Thu, 2009-07-09 at 10:22 +0200, Heiko Schlittermann wrote: > > Hello Robert, > > > > while using pound for a while we got a new request: > > > > HTTPS -> POUND -> HTTPS > > > > The keys of the backend are installed on the POUND too. So POUND can > > decrypt the request, check/sanitize it and then forward the request as > > it normally does, but it should use HTTPS (for several reasons). > > > > We can try to get this done by using an stunnel to the backend and let > > then pound talk to the stunnel, but from my POV it would be much > > cleaner if POUND could establish the backend connection as HTTPS. > > > > Do you see any possibility to implement this? I can even try to > > implement it by myself, so please tell me, if I'm totally wrong with > > this idea or with our demand. > > Personally I find this a poor idea (MITM-like), but we'll probably have > to reconsider it for the next version. I am really curious about your > reasons/use case... > > Additional questions to the mailing list please. The backend is an Microsoft-Webaccess (at least that's what the customer told me). It's already set up as an HTTPS server and I don't want to ask them for any change (their and my limited knowledge about what do change in the MS system). I'm not sure about the application sending self referencing URLs, not only as Redirects (these I could rewrite, using Pound AFAIK), but sending links with self referencing full URLs. This backend is protected by a Linux firewall. Just forwarding the HTTPS port (traffic) to the backend is a poor solution, because they asked us to limit the access to a specific URL pattern. So, my idea was the MITM approach, I got the SSL key and cert and thought to use Pound to decrcypt/check/sanitize the traffic and then connect via HTTPS to the backend. Probably squid is able to do this (needs to be compiled "--using-ssl") and probably Apaches mod_proxy could be used. Both solutions are not checked yet, since I like the lean approach of Pound, compared with these two "fat" applications. (The current setup we're testing uses an stunnel connection to the backend...) Any ideas and opinions are welcome. Best regards from Dresden/Germany Viele Grüße aus Dresden Heiko Schlittermann -- SCHLITTERMANN.de ---------------------------- internet & unix support - Heiko Schlittermann HS12-RIPE ----------------------------------------- gnupg encrypted messages are welcome - key ID: 48D0359B --------------- gnupg fingerprint: 3061 CFBF 2D88 F034 E8D2 7E92 EE4E AC98 48D0 359B - -- To unsubscribe send an email with subject unsubscribe to [email protected]. Please contact [email protected] for questions.
