We're trying to set up a load balancer with HAProxy which will serve multiple backend web applications. The use case is something like this:
User browses to foo.com/app1
HAProxy sees that the cookie doesn't contain session information, and redirects to an authentication gateway (a single-sign-on page of sorts)
The auth gateway provides a form, where if the user successfully logs in, the gateway redirects back to HAProxy, with a COOKIE storing the session details
HAProxy now sees that valid session information is present and redirects to app1-internal.foo.com (the actual web application) with the same COOKIE - which is used further by the web application.
Our doubt is in the 3rd step. We would like to encrypt the cookie which the authentication gateway adds (via AES or similar). The problem is, that at the HAProxy end we can't seem to figure out how to decrypt it, since HAProxy doesn't seem to support decrypting headers (or even running an external C/C++ program that can decrypt it). So our questions are:
Can we decrypt AES encrypted headers at HAProxy itself (note that this is not an SSL connection) ?
Is HAProxy not really designed for this use case - is there a better tool for this purpose that you can suggest for us?
Many thanks in advance!
Related
Im working on some JSON-based web service that is supposed to work with Android application.
I would like to encrypt data transport between client (android) and server (virtual server in datacenter).
I don't have to make sure that my server is my server, just data encryption.
I have no idea how to use HTTPS.
Do I just put my PHP files in private_html and use https://example.com url?
To use HTTPS, you don't have to do anything in the coding of your web service - it's all in your hosting. Here the are steps you can follow. The specific instructions differ in your hosting (IIS, Apache, AWS/Azure, etc), but you can google specifics on how to accomplish any of these steps for whatever host and application framework you decide.
Buy an SSL certificate (there are many different vendors, but expect between $75-$200 for the certificate) based on the vendor, reputation, and level of security you need.
Generate a certificate signing request (CSR) from the server you'll be hosting.
Upload the CSR to the SSL vendor who will validate and provide the certificate for your use.
Import the SSL certificate into your application server, and configure the site to use the certificate. For instance, if you're hosting Microsoft IIS, you'd import the SSL certificate and then add HTTPS bindings on 443 to the specific website hosting your web service.
Another point of security. Since you are deploying SSL, you don't have to do any application level encryption (assuming you are not putting sensitive information in query strings - use POST if you think you need to). You probably would want to implement some security to restrict access to your web service so only your app can access it. Best practice is some level of OAuth, but at a minimum some type of pre-shared key in the header of the request is a lot better than nothing.
Here are some additional sites for more information:
https://www.digicert.com/ssl-certificate-installation.htm
https://support.godaddy.com/help/category/742/ssl-certificates-installing-ssl-certificates?prog_id=GoDaddy
If you don't want to pay for a certificate, you can use certificate signet by your own CA and add the root certificates into your application using HTTPClient and keystores
Here there's some guides
http://datacenteroverlords.com/2012/03/01/creating-your-own-ssl-certificate-authority/
http://developer.android.com/reference/org/apache/http/client/HttpClient.html
KeyStore, HttpClient, and HTTPS: Can someone explain this code to me?
http://blog.antoine.li/2010/10/22/android-trusting-ssl-certificates/
You can limit users to use JUST and only HTTPS in apache, IIS or whatever do you use. If your client connects to your server, his communications will be likely to encrypted, because he is already using HTTPS. And for responsing in HTTPS you virtually cannot send HTTPS responses, as far as I know, unless that other side isn't also a website (for example, if you have your website, you could send such a response e.g. to Google). You should be okay to send data like http status codes (OK, NotModified, PageNotFound, ...), or if you want something more, or if it is a requirement, then there you still have JSON and you could encode it as well, with some encoding algorithms, or use binary JSON format.
Check if your hosting company provides a free public shared https address. Most of them do.
If you want to understand how to do it right, follow this thread
Warning: Don't stick with the solution below for production.
If you plan o use an https endpoint without a certificate you have to make sure to disable peer verification, check this answer
I have developed a Django application and now want to make sure the POST data transmitted through the page is safe.
I have couple of questions about this?
I see SSL certificates being displayed on many webpages. How do I get this certificate?
Do I need to change anything on my submitted form to encrypt the data or should I change any settings on my webserver?
I know its a general question but it would be great if someone provides a good answer.
First off, the POST data transmitted through the page is never safe from an application perspective. You don't have control over the user of the website. SSL and HTTPS helps prevent man in the middle attacks to ensure the request from the client (browser) to your server is encrypted. The underlying data that is sent can be malicious, so you should always validate inputs.
Secondly, if you want to use HTTPS and SSL, which I highly recommend, you'll need to obtain a certificate from one of the providers out there and install it with your webserver, which I presume is apache. Typically your domain provider can help you with obtaining an SSL certificate for your domain from one of the main certificate authorities. Regarding the installation and setup, there is tons of information about this online as it's a common task. I'm not familiar with Apache configuration to provide any specific recommendations. You'll also want to have rewrite rules so that your site can only be accessed via HTTPS and if someone tries to use HTTP, it simply redirects to HTTPS.
Lastly, you don't need to do anything in your Django application as your webserver should handle the basic interactions between your server and client to validate the HTTPS requests.
I am building a web application and RESTful web service.
I have been reading various articles about the best way to authenticate the requests to the web service.
The best option for me seems to be to use HTTP basic authentication. Pretty much every article ive read says that authentication should be encrypted over SSL or equivalent.
Im not totally sure what this involves. Does this mean that my whole web service will have to be on a secure server? Will this slow things down?
This really depends on how much data is being transferred and the amount of hits your service is getting. Encrypting the data will increase processing time and typically the amount of information transferred. However, if you choose basic authentication without SSL and there is a user running a packet sniffer on your network, it is almost like yelling your credentials across the room. It is possible to switch between HTTP and HTTPS by configuring your .HTACCESS if you'd like. See the link below:
Correctly switching between HTTP and HTTPS using .htaccess
We are working on an HTTP webservice load-balanced using haproxy. The webservice is accessed via SSL. It is a RESTful HTTP service and simply accepts JSON, does some work, and returns JSON. There is no notion of a session.
We have redundant load-balancers set up in front of a pair of redundant webservice servers. Each server sits behind Apache, where Apache is used as a proxy in order to handle SSL and logging. If it matters, our webservice is a Clojure (java) application using compojure (jetty) to handle HTTP.
This is a brief diagram showing the path of a client request through our existing system.
client request -> haproxy (load balancing) -> apache (ssl, logging) -> webservice
We would like any connection to the load-balancer to establish a persistent connection and then be served by the same server for all subsequent requests sent through that persistent connection. In other words, we don't want a persistent connection to haproxy making requests to more than one webservice server.
How would you recommend that we get this working? How can we "pin" a given connection to the load-balancer to a specific webservice server? How could we prevent accidentally loading down a specific webservice server with multiple intensive requests?
Using balance source in the defaults block, along with removing option httpclose entries did the trick.
In our HAProxy configuration we do this at the backend level, using the cookie option. This is because he have a number of sites, some of which we do want persistance for - others we do not.
In those that we do the backend looks like this in haproxy.cfg:
backend examplesite
cookie STK insert indirect nocache maxidle 30m maxlife 8h
server server1 192.168.0.1:80 cookie n1
server server2 192.168.0.2:80 cookie n2
This will set a cookie with the name STK on the first request. Haproxy will automatically assign a value to this cookie that it will then use to send subsequent requests to the same node.
We decided to also add the n1 and n2 cookie prefixes... this means that the cookie value will be prefixed with either n1 if the requests are going to node 1 or n2 if they are going to node 2. This is very helpful when debugging.
Either way I'd suggest taking a look at the configuration documentation around cookie options.
You might also want to look at the appsession option. This allows HAProxy to use an existing cookie (such as ASPNetSessionId or PHPSESSIONID) for the same purpose.
I had problems with it before, but recently had an answer to a question of Server Fault which should resolve this. You could give it a go as it saves using an extra cookie in your requests. Can't get appsession setting in HAProxy to work.
I have implemented secured login and signup in my website.It working.Now I want to test it.I am not sure how to test whether it is correctly secured.
If you want to test whether it breaks when used with SSL, you could easily test drive it by downloading and installing OpenSSL, follow this tutorial to create a self-signed certificate with OpenSSL, install your newly created certificate on your web server (Apache, if you are using LAMP or XAMPP) and finally restart your web server. Now you have SSL ready to be used, try to use your login form via https:// and see what happens. If a web browser like Firefox complains about your certificate, tell it to create an exception.
That is how you can test it over SSL, but as for the "whether it is correctly secured", things get harder. Make sure you have at least taken care of:
Session fixation
Cross-site scripting
Secure password storage (hashing)
SQL injections
Protecting against brute forcing with throttling or using CAPTCHAs
This depends what the website is made of, for instance if it's using Apache or if it's an home-grown server.
Verify the site is only accessible via HTTPS (if this is what is wanted)
Test an access via HTTP - verify behavior is as expected (could be redirection to HTTPS, error page or warning message ...)
Try to access the site without going thru the login page (i.e. forging URL)
Open a session, try to access it from another client without logging in.
Test for "obvious" passwords (test/test, admin/admin)
Verify you cannot login without empty username/password
Verify one cannot access the private key of the system
Verify one cannot access all files of the system (eg http://website.address/../../../../etc/passwd)
...
You can also use a website security test suite, see this list by insecure.org, there are commercial products and free/open source tools.
IMHO, you should not try to test SSL, as this is a third-party tool.