Secure traffic on reverse proxy and ShibUseHeaders
Paul Beckett (ITCS)
P.Beckett at uea.ac.uk
Wed Nov 28 05:01:24 EST 2012
Scott,
Thankyou for all the help / info you've provided, it's been very useful.
I think I'm going to go with Tomcat using HTTPS APR connector, and passing the details in the header using mod_proxy_http (https), as the tunnelling would be adding another layer of complexity (as we have *lots* of different tomcats and other containers to proxy to)
It's really good to know the spoof checking stuff should keep me safe in Apache. Is there any risk that the Apache 2.4 API changes could have stopped this working?
Thanks again,
Paul
>-----Original Message-----
>From: users-bounces at shibboleth.net [mailto:users-bounces at shibboleth.net]
>On Behalf Of Cantor, Scott
>Sent: Monday, November 26, 2012 5:23 PM
>To: Shib Users
>Subject: Re: Secure traffic on reverse proxy and ShibUseHeaders
>
>On 11/26/12 12:06 PM, "Paul Beckett (ITCS)" <P.Beckett at uea.ac.uk> wrote:
>
>>It seems to me if I want to authenticate a user in Apache, and pass the
>>username to the application I have three options:
>>1)
>>Environment variable , with AJP connector (no encryption)
>>2)
>>Environment variable, with AJP connector, using SSL tunnel
>
>Or SSH tunnel, which I would advise as a superior alternative, depending on
>how it affects performance. SSH connection verification is quite well
>understood. SSL certificate verification by typical code is a flaming disaster.
>
>>2)
>>The extra complexity of SSL tunnel and managing this for a *lot* of
>>different services, seems like a major management overhead and
>>something else to go wrong
>
>Another argument in favor of SSH if you want to do this.
>
>>3)
>>Would seem preferable but concerned about the spoofing issues :
>>
>>https://wiki.shibboleth.net/confluence/display/SHIB2/NativeSPSpoofCheck
>>ing
>
>That isn't the problem, the problem is that you're specifically distrusting the
>network link to your back-end, and if that's the case, the attacker just injects
>headers on that link. If you use HTTP proxying between them, you MUST
>control the network between Apache and Tomcat.
>
>>The wiki page suggests the Shib SP has some spoof protection, but still
>>recommends against using headers. Is it possible to say how significant
>>the risk is?
>
>On Apache very low to nil. On IIS, it's highly dependent on application tools
>and Microsoft not changing things. I don't consider the latter to be low risk.
>
>> Is there any known ways to currently overcome the Shib SP¹s spoof
>>protection?
>
>Use unsafe settings on IIS, particularly certain .NET APIs, and expose the
>spoof checking key in some way.
>
>>
>>Any other thoughts, comments or advice on the subject would be very
>>welcome.
>
>I don't personally like HTTP proxying as a security mechanism, especially not
>when Tomcat doesn't require it. AJP is just superior for performance, and in
>controlling the threat model.
>
>-- Scott
>
>
>--
>To unsubscribe from this list send an email to users-
>unsubscribe at shibboleth.net
More information about the users
mailing list