Mailing List Archive: Apache: Users

transparent proxy support in Apache?

Index | Next | Previous | View Threaded

Jason.Haar at trimble

Aug 1, 2007, 11:36 AM

Post #1 of 5 (192 views)
Permalink

transparent proxy support in Apache?

Hi there

I'm making a WAF (Web Application Firewall) based around Linux/Apache
and mod_security, and as part of the design, thought that making it a
transparent (reverse) proxy would be a good move from a disaster
recovery perspective (i.e. if it blew up you could just wire around it
and the backends would still be available).

Anyway, I did some quick tests with Apache (2.2.4) and found that it
really has no transparent proxy support? I can get the iptables rules in
place to redirect traffic meant for other servers to terminate on it -
but Apache reads them all as connections to itself - i.e. the
VirtualHosts don't kick in correctly.

Also, the WAF would primarily be used to protect HTTPS sites. Now I know
"you can't transparently proxy HTTPS" is the mantra - but that's not
quite true from what I know. I mean this would be an "official" WAF - so
it would have copies of the server certs used on the real backends - so
it could actually do a successful "man-in-the-middle". But again it
relies on Apache to be able to glean information about the real
destination IP addresses so that it could map connections through to the
real backend server. I guess Apache would need a "VirtualListen" option...

I've done this successfully with Squid as a normal proxy, but I really
need the funky features of Apache as a reverse-proxy - but I want
transparency too...

Is it doable? Thanks!

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

noodlet at gmail

Aug 1, 2007, 11:02 PM

Post #2 of 5 (170 views)
Permalink

Re: transparent proxy support in Apache? [In reply to]

This question is somewhat out of my area, but let's have a go..

On 02/08/07, Jason Haar <Jason.Haar [at] trimble> wrote:
> Hi there
>
> I'm making a WAF (Web Application Firewall) based around Linux/Apache
> and mod_security, and as part of the design, thought that making it a
> transparent (reverse) proxy would be a good move from a disaster
> recovery perspective (i.e. if it blew up you could just wire around it
> and the backends would still be available).

I'm a bit confused by your terminology. From what I understand a
transparent proxy is the kind which is put in front of clients by
dodgy ISPs (such as my own) to perform things like caching and
nanny-filtering, without having to properly configure a proxy in the
user's browser. As such, it lives closest to the client and knows
nothing of specific sites. This kind of proxy is a misuse of http and
not directly supported by apache (though I gather it is possible with
a series of network level hacks).

A reverse proxy OTOH sits in front of one or several origin servers
and can perform operations like load balancing, http acceleration and
security filtering. This kind of proxy is supported directly by
mod_proxy using the ProxyPass directive and friends.

There's a third kind, your common or garden forward proxy, supported
by apache using ProxyRequests and friends, but I don't think you mean
that.

Which do you mean? Any of those?

>
> Anyway, I did some quick tests with Apache (2.2.4) and found that it
> really has no transparent proxy support? I can get the iptables rules in
> place to redirect traffic meant for other servers to terminate on it -
> but Apache reads them all as connections to itself - i.e. the
> VirtualHosts don't kick in correctly.

Again I'm not sure what topography you're refering to. If it's a
reverse proxy, then yes apache should expect the request to be
directed at itself. Transparent (or interception) proxies are meant to
be hidden from the user and the server, but of course aren't because
they mask things like connection and DNS errors.

> Also, the WAF would primarily be used to protect HTTPS sites. Now I know
> "you can't transparently proxy HTTPS" is the mantra - but that's not
> quite true from what I know. I mean this would be an "official" WAF - so
> it would have copies of the server certs used on the real backends - so
> it could actually do a successful "man-in-the-middle". But again it
> relies on Apache to be able to glean information about the real
> destination IP addresses so that it could map connections through to the
> real backend server. I guess Apache would need a "VirtualListen" option...

When it comes to reverse proxying https, then yes the server needs the
certificates of the backend sites (and enough IP addresses to be able
to host them all without CN conflicts). The tricky part is deciding if
you then need to re-encypt the requests to the backends; generally
there's no point, but if your backends are expecting https requests
then you'll have to swallow that waste of cpu time.

There's also a question of how apache will know which of the backend
servers to send the request too, assuming there's a bunch of different
sites. In a normal reverse proxy situation you can use mod_rewrite to
construct the proxy url including the whole or part of the original
Host: header. However because you need to host several https sites on
a single server, you're going to need several ip/port combinations
with their own vhosts anyway, so you can use ProxyPass with the
correct host name (or, depending on how you're arranging your DNS,
using ProxyPass with the IP address of the backend along with the
ProxyPreserveHost directive set).

> I've done this successfully with Squid as a normal proxy, but I really
> need the funky features of Apache as a reverse-proxy - but I want
> transparency too...
>
> Is it doable? Thanks!

It sounds to me like your config is trying to be too clever, but then
I'm probably missing the point :-)

--
noodl

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Jason.Haar at trimble

Aug 1, 2007, 11:51 PM

Post #3 of 5 (173 views)
Permalink

Re: transparent proxy support in Apache? [In reply to]

Vincent Bray wrote:
> I'm a bit confused by your terminology. From what I understand a
> transparent proxy is the kind which is put in front of clients by
> dodgy ISPs (such as my own) to perform things like caching and
> nanny-filtering, without having to properly configure a proxy in the
> user's browser.

Yup - that's a transparent *forwarding* proxy.

> Again I'm not sure what topography you're refering to. If it's a
> reverse proxy, then yes apache should expect the request to be
> directed at itself. Transparent (or interception) proxies are meant to
> be hidden from the user and the server, but of course aren't because
> they mask things like connection and DNS errors.
>

Many commercial WAFs offer this - they call it "bridge mode". Basically
it means you can plug it in front of your backend servers (after it's
appropriately configured of course) and it will transparently intercept
all HTTP and HTTPS traffic meant for the backend servers - and then only
forward the sanitized queries to them.

They normally have one of those network cards that basically cause the
box to become a wire on failure - one form of DR. Nice thing is it
requires no network topology changes to operate.

> ... you're going to need several ip/port combinations
> with their own vhosts anyway, so you can use ProxyPass with the
> correct host name (or, depending on how you're arranging your DNS,
> using ProxyPass with the IP address of the backend along with the
> ProxyPreserveHost directive set).
>
>

Yup - been there done that :-) That all works fine - but it means your
WAF becomes the single point of failure - as all clients terminate on
it. So you need to look at HA options (e.g. heartbeat) to remediate.

> It sounds to me like your config is trying to be too clever, but then
> I'm probably missing the point :-)
>
Nope - I think I am trying to be too clever :-)

In the past 24 hours I've come back to the more standard RP option. The
problem with "transparent/bridging" is that the WAF basically has to be
directly in front of the servers to protect. But what if you've got
multiple DMZes/etc? Unless you're willing to put it right out in front
of your Internet edge, you are probably looking at needing multiple
WAFs, or reorganizing your network anyway. And the DR of becoming a wire
isn't really DR - I mean you've just lost a security device.

So ignore me - I'm back on track with the more standard Apache reverse
proxy model - with heartbeat :-)

--
Cheers

Jason Haar
Information Security Manager, Trimble Navigation Ltd.
Phone: +64 3 9635 377 Fax: +64 3 9635 417
PGP Fingerprint: 7A2E 0407 C9A6 CAF6 2B9F 8422 C063 5EBB FE1D 66D1

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

uhlar at fantomas

Aug 30, 2007, 9:11 AM

Post #4 of 5 (134 views)
Permalink

Re: transparent proxy support in Apache? [In reply to]

> Vincent Bray wrote:
> > I'm a bit confused by your terminology. From what I understand a
> > transparent proxy is the kind which is put in front of clients by
> > dodgy ISPs (such as my own) to perform things like caching and
> > nanny-filtering, without having to properly configure a proxy in the
> > user's browser.

On 02.08.07 18:51, Jason Haar wrote:
> Yup - that's a transparent *forwarding* proxy.

no, it's an *intercepting* proxy. Looking to RFC 2616, the transparent proxy
is defined this way:

A "transparent proxy" is a proxy that does not modify the request or
response beyond what is required for proxy authentication and
identification. A "non-transparent proxy" is a proxy that modifies
the request or response in order to provide some added service to
the user agent, such as group annotation services, media type
transformation, protocol reduction, or anonymity filtering.

I know that many ppl call intercepting proxy a "transparent" proxy, but
that's incorrect.

... we are talking about HTTP protocol, aren't we?

--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
REALITY.SYS corrupted. Press any key to reboot Universe.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

uhlar at fantomas

Aug 30, 2007, 9:17 AM

Post #5 of 5 (132 views)
Permalink

Re: transparent proxy support in Apache? [In reply to]

On 02.08.07 06:36, Jason Haar wrote:
> I'm making a WAF (Web Application Firewall) based around Linux/Apache
> and mod_security, and as part of the design, thought that making it a
> transparent (reverse) proxy would be a good move from a disaster
> recovery perspective (i.e. if it blew up you could just wire around it
> and the backends would still be available).

replacing one SPOF (the webserver) by another SPOF (proxy) is usually not
very efficient.

And while you are talking about "transparent" proxy, this term is defined
elsewhere in different way than you think.

The reverse proxy doesn't have to be intercepting and apache does this
easily.

The intercepting proxy has no meaning for reverse proxy and apache does not
support this. And I don't think it ever will.

> Also, the WAF would primarily be used to protect HTTPS sites. Now I know
> "you can't transparently proxy HTTPS"

you can't efficiently proxy HTTPS. You can do reverse proxy, listening on
HTTPS, connecting via HTTP, and this will work well unless your webservers
need to play with client certificates, and it will be safe unless you have
unsafe network between proxies and servers.

> I've done this successfully with Squid as a normal proxy, but I really
> need the funky features of Apache as a reverse-proxy - but I want
> transparency too...

first you should make clear what do you really want and need...
squid can do intercepting, reverse proxy and SSL accelerator, but for
modifying of content you still need at least ICAP patch and some ICAP
server...
--
Matus UHLAR - fantomas, uhlar [at] fantomas ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"Where do you want to go to die?" [Microsoft]

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe [at] httpd
" from the digest: users-digest-unsubscribe [at] httpd
For additional commands, e-mail: users-help [at] httpd

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact lists@gossamer-threads.com