So here we go again… Another vulnerability has been found in OpenSSL. However, this is very hard to exploit and requires the hacker to have control of your wireless hotspot or network. If that’s the case, then you’re in trouble anyway!
Over the last few weeks we have seen more and more users reporting that they have run a security check on the SSL certificate thats installed on their Loadbalancer appliance using the Trustworty Internet Movement web site (https://www.trustworthyinternet.org/ssl-pulse/).
The idea behind the site is basically to test as many SSL certificates on the Internet as possible and check for any vulnerabilities like having SSLv2 enabled or weak Key Cipher lists. The test takes about 2 minutes to run and will give you a report on the status of your SSL Certificate and the associated services that it uses.
From this we found that the version of Pound SSL Proxy that we were using with our v6.x appliance was not as secure as it could be. Which has lead to a new release of our hardware software to v6.19.
NB. ‘not as secure as it could be’ does not mean a security problem, the BEAST attack is really a client side attack and nothing to do with load balancers <- Anoying comment added by Editor :-).
As a follow on to my previous blog, its easier to get Apache to log client IP addresses utilizing X-Forwarded-For headers than it is using IIS. By default, the logs do not record source IP addresses for clients but this is very easy to change using the LogFormat directive in the httpd.conf file as explained below.
By default, layer 7 services are non-transparent. This means that the actual client source IP address is replaced by the load balancers IP address, and therefore this address will be recorded in the IIS logs. One way around this is to insert X-Forwarded-For headers on the load balancer to track the actual client source IP address. IIS can then be reconfigured to make this data available in the logs. The steps required depend on the version of IIS:
OK so I’ve previously blogged about how to get TPROXY and HAProxy working nicely together. But what if you want to terminate SSL traffic on the load balancer in order to use HaProxy to insert cookies in the standard HTTP stream to the backend servers?
Many thanks to Krisztián Ivancsó for working on the TPROXY patch for Pound for us, we can finally do this!