16th October

in Pound

The Poodle SSLv3 – UPDATED – Updated Again

Posted by Andrei Grigoraş 16th October in Pound

So here we go again...  Another vulnerability has been found in OpenSSL. However, this is very hard to exploit and requires the hacker to have control of your wireless hotspot or network. If that's the case, then you're in trouble anyway!

Continue reading...
13th June

in Pound

SSL Termination & The BEAST

Posted by Andrei Grigoraş 13th June in Pound

Over the last few weeks we have seen more and more users reporting that they have run a security check on the SSL certificate thats installed on their Loadbalancer appliance using the Trustworty Internet Movement web site (https://www.trustworthyinternet.org/ssl-pulse/). The idea behind the site is basically to test as many SSL certificates on the Internet as possible and check for any vulnerabilities like having SSLv2 enabled or weak Key Cipher lists. The test takes about 2 minutes to run and will give you a report on the status of your SSL Certificate and the associated services that it uses. From this we found that the version of Pound SSL Proxy that we were using with our v6.x appliance was not as secure as it could be. Which has lead to a new release of our hardware software to v6.19. NB. 'not as secure as it could be' does not mean a security problem, the BEAST attack is really a client side attack and nothing to do with load balancers <- Annoying comment added by Editor :-).

Continue reading...
9th February

in HAProxy

Apache and X-Forwarded-For Headers

Posted by Rob Cooper 9th February in HAProxy

As a follow on to my previous blog, its easier to get Apache to log client IP addresses utilizing X-Forwarded-For headers than it is using IIS. By default, the logs do not record source IP addresses for clients but this is very easy to change using the LogFormat directive in the httpd.conf file as explained below.

Continue reading...
4th February

in HAProxy

IIS and X-Forwarded-For Header

Posted by Rob Cooper 4th February in HAProxy

By default, layer 7 services are non-transparent. This means that the actual client source IP address is replaced by the load balancers IP address, and therefore this address will be recorded in the IIS logs. One way around this is to insert X-Forwarded-For headers on the load balancer to track the actual client source IP address. IIS can then be reconfigured to make this data available in the logs. The steps required depend on the version of IIS:

Continue reading...
20th July

in HAProxy

Transparent proxy of SSL traffic using Pound to HAProxy backend patch and howto

Posted by Malcolm Turnbull 20th July in HAProxy

OK so I've previously blogged about how to get TPROXY and HAProxy working nicely together. But what if you want to terminate SSL traffic on the load balancer in order to use HaProxy to insert cookies in the standard HTTP stream to the backend servers? Many thanks to Krisztián Ivancsó  for working on the TPROXY patch for Pound for us, we can finally do this!

Continue reading...
Live chat
› Operator: Theo › Theo: Can I help you?
Click here to chat |