SSL Termination & The BEAST

Over the last few weeks we have seen more and more users reporting that they have run a security check on the SSL certificate thats installed on their Loadbalancer appliance using the Trustworty Internet Movement web site (https://www.trustworthyinternet.org/ssl-pulse/).

The idea behind the site is basically to test as many SSL certificates on the Internet as possible and check for any vulnerabilities like having SSLv2 enabled or weak Key Cipher lists. The test takes about 2 minutes to run and will give you a report on the status of your SSL Certificate and the associated services that it uses.

From this we found that the version of Pound SSL Proxy that we were using with our v6.x appliance was not as secure as it could be. Which has lead to a new release of our hardware software to v6.19.

NB. ‘not as secure as it could be’ does not mean a security problem, the BEAST attack is really a client side attack and nothing to do with load balancers <- Anoying comment added by Editor :-).

Continue reading

IIS and X-Forwarded-For Header

By default, layer 7 services are non-transparent. This means that the actual client source IP address is replaced by the load balancers IP address, and therefore this address will be recorded in the IIS logs. One way around this is to insert X-Forwarded-For headers on the load balancer to track the actual client source IP address. IIS can then be reconfigured to make this data available in the logs. The steps required depend on the version of IIS:
Continue reading

Transparent proxy of SSL traffic using Pound to HAProxy backend patch and howto

OK so I’ve previously blogged about how to get TPROXY and HAProxy working nicely together. But what if you want to terminate SSL traffic on the load balancer in order to use HaProxy to insert cookies in the standard HTTP stream to the backend servers?

Many thanks to Krisztián Ivancsó  for working on the TPROXY patch for Pound for us, we can finally do this!

Continue reading