Secure traffic on reverse proxy and ShibUseHeaders

[Paul Beckett (ITCS)]

I am setting up an Web Application Firewall, based upon Apache 2.4 and mod_security. This will act as a reverse proxy for a number of Tomcat (and other) services, some of which are authenticated by the Shibboleth SP 2.5 (with a couple of patches for Apache 2.4).

The page contents of some sections / sites are sensitive, and would be running over https between the client and apache. I do not trust the security of the network connection between the Apache WAF and backend service (tomcat etc.)

It seems to me if I want to authenticate a user in Apache, and pass the username to the application I have three options:

1)      Environment variable , with AJP connector (no encryption)

2)      Environment variable, with AJP connector, using SSL tunnel

3)      Header, with mod_http connector using https

If I've missed any better options, I would be delighted to hear about them. But of these options:

1)      No encryption is a big concern

2)      The extra complexity of SSL tunnel and managing this for a *lot* of different services, seems like a major management overhead and something else to go wrong

3)      Would seem preferable but concerned about the spoofing issues : https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofChecking

The wiki page suggests the Shib SP has some spoof protection, but still recommends against using headers. Is it possible to say how significant the risk is? Is there any known ways to currently overcome the Shib SP's spoof protection?

Any other thoughts, comments or advice on the subject would be very welcome.

Thanks,
Paul



-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://shibboleth.net/pipermail/users/attachments/20121126/88ee3e1c/attachment.html