http://daemonicdispatches.disqus.com/enWed, 09 Apr 2014 17:38:51 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-1327364495<p>And then, 5 years later we have heartbleed</p>Welton Rodrigo Torres NascimenWed, 09 Apr 2014 17:38:51 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-1327245909<p>Awesome post. This really make me love that I use LXC, and more recently Docker, to isolate specific services.</p>denibertovicWed, 09 Apr 2014 16:54:44 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-25581954<p>I've used nginx in front of apache, and nginx can do SSL and X-Real-IP or X-Forwarded-For</p><p>But what we use now is alot like what you already have. We use nginx in one jail, serving static content (images), and providing SSL, but it then passes CGI requests to a FastCGI running in a separate jail. This also makes it easy to load balance, by having more than one fastcgi jail, spread across a number of physical boxes.</p>Allan JudeFri, 11 Dec 2009 23:41:56 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-24166813<p>These sort of setups doesn't scale much beyond one or two admins who know the system intimately. It also pretty much requires you to roll your own security update processes.</p><p>What I would like to see instead is a privsep'd Apache (like OpenSSH does it), with sensitive processes separate and locked down by default.</p>JonasFri, 27 Nov 2009 04:28:23 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17829823<p>Remind me to get you a tinfoil hat that says "Thank you".</p>madssjWed, 30 Sep 2009 03:28:44 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17771020<p>Quite true. In my case I don't use source IP addresses for authentication purposes -- it's far too easy for that to break -- but it's certainly something people should be aware of.</p>cpercivaTue, 29 Sep 2009 10:09:13 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17758408<p>Or, you know, like run hundreds of web applications whose functionality relies on or would be strongly crippled without sending email...</p>pgibTue, 29 Sep 2009 01:08:58 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17746757<p>I'd reiterate the need to perform modification of X-Forwarded-For in many situations. In order to prevent session hijacking, many web apps will associate the request source IP with session identifiers. If a new IP makes a request using an existing cookie, the app can force re-authentication. By hiding the source IP address, you're significantly handicapping these types of checks. A strong understanding of your application is essential before implementing this type of security, as is proper testing of security functions afterward.</p>JohnMon, 28 Sep 2009 19:27:45 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17746075<p>Having outbound email from web servers is good -- otherwise you can't get email from your cron jobs.</p>cpercivaMon, 28 Sep 2009 19:08:38 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17746055<p>192.168.0.44 is a non-routable IP address which I created on a virtual interface. The nameserver is authoritative; I haven't set up AXFR.</p>cpercivaMon, 28 Sep 2009 19:07:57 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17723593<p>I prefer not to allow outbound mail from a webserver. I allow only inbound web and SSH traffic (and the outbound half of those connections).</p>AMon, 28 Sep 2009 12:07:58 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17722331<p>192.168.0.44 is this a virtual IP? And is your authoritative nameserver primary or secondary authoritative? thanks!</p>Prakash SMon, 28 Sep 2009 11:35:14 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17715599<p>That too. :-)</p>cpercivaMon, 28 Sep 2009 09:53:45 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17711324<p>"which adds significant complexity" - and a larger attack surface...</p>JonMon, 28 Sep 2009 08:42:43 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17710926<p>There are patches for stunnel to make it insert X-Forwarded-For headers; but to do that stunnel needs to do some basic parsing of HTTP connections, which adds significant complexity -- so I'd prefer to avoid that route. You're quite right that this is an option, though.</p>cpercivaMon, 28 Sep 2009 08:20:32 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17710516<p>If stunnel can handle X-Forwarded-For http header(s), maybe then mod_rpaf could help apache straighten out the logged ips. Ymmv.</p>warmingMon, 28 Sep 2009 07:59:13 -0000http://www.daemonology.net/blog/2009-09-28-securing-https.html#comment-17710485<p>Have you considered using a reverse proxy solution like Pound in place of stunnel? It can add/modify the X-Forwarded-For header on incoming requests, then by tweaking Apache's CustomLog format, you can have the origin IP address in your Apache logs.</p><p>By the way - great post!</p>jakinneMon, 28 Sep 2009 07:58:28 -0000