Forum OpenACS Q&A: Re: AOLserver 4 not yet ready for prime time if you need SSL

Bart, Being curious: what did you do to achieve transparency?

If i remember correctly, we just added in the
oacs code the following switch to rp_filter in the
request processor procs, such it returns the
forwarded-for address instead of the
proxy in an [ad_conn peeraddr].

We handle redirections in the proxy and use the
access logfile of pound instead of the aolserver.

-gustaf

if { [ns_config -bool ns/parameters ReverseProxyMode 0] } {
  set addr [lindex [ns_set iget [ns_conn headers] x-forwarded-for] end]
  if {[string length $addr] == 0} {
    set addr [ns_conn peeraddr]
  }
  ad_conn -set peeraddr $addr
} else {
  ad_conn -set peeraddr [ns_conn peeraddr]
}

Gustav,

I let Pound add an extra X header when the client has a HTTPS connection to Pound. X-SSL-Request is set to true to indicate that the connection to the browser is secure.

The request processor and the security procs of OpenACS then treat the connection as if directly connection over HTTPS to AOLserver. Or in a schema:

HTTPS -> Pound -> HTTP + X-SSL-Request: true -> AOLserver

is treated the same as:

HTTPS -> AOLserver

For now the mods to OpenACS don't verify that the IP address of the request coming from Pound is indeed originating from a trusted proxy. A hacker knowing the (internal) IP address of the proxy could potentially spoof a secure connection. Cross-referencing the IP address against a (list of) trusted IP address(es), however, is trivial to add.

Did you know that AOLserver 4.x automatically records the X-Forwarded-For IP address?

Bart
the Code Mill

Hi Bart,

i was not aware that OACS treats secure connections differently. We only allow ip traffice to the backend
from trusted machines (e.g. the proxy) via firewall.
Since all oacs applications uses ad_conn peeraddr,
the mentioned fix was easy enough.

Concerning 4.x & forwarded-for: no, i was not aware
of this either. I once brought it up on the aolserver
list, but got the impression that people were mostly
objecting the idea, since it would in the general
case leave room for spoofing.

We strip from the pound configuration all incoming
X-Forwarded-For headers, together with the firewall
rules, i believe we are on the safe side.

-gustaf