On 3 Jul 2010, at 14:51, John T Skarbek wrote:
> Good Morning,
>
> I'm testing out a solution to use nginx for ssl decryption to pass off requests to haproxy. During the thought process of everything, and later during testing, I noticed that all I'd need to do in the clients web browser is to simply take out the 's' on 'https' and all traffic will flow unencrypted just dandily. I really don't want that to happen. So I thought of a couple of ideas:
> I was thinking of a solution to simply deny port 80 traffic from the outside world, but then I do have a couple of pages which do not require ssl. Users that don't put the 'https' in the address bar by default will sit at a blank page and I don't want to have to manage the firewall when creating sites.
> I was then thinking of having nginx watching that port on specific sites for unencrypted traffic, but then I'm mixing services and that isn't the greatest when planning for future sites and simply seems convoluted to me.
> My last though was to haproxy use some sort of acl to listen to where requests come from. If anything from the outside world, redirect them to a web page that forces ssl. Doing this would require me to have another entry to listen for the source being itself as decreypted communications from nginx would then possibly be sent to the redirect page also.
> Does anyone have any thoughts or a better recommended solution?
>
> John T. Skarbek
> B.S.Computer Science Networking
> Radford University
John,
I use Nginx to insert a header (X-Forwarded-Proto: https), and just check that the header exists with haproxy. If it doesn't, use the redirect prefix option in haproxy to force SSL.
Hope this helps
Chris Received on 2010/07/03 15:59
This archive was generated by hypermail 2.2.0 : 2010/07/03 16:15 CEST