Hi, I have an application where it only speaks HTTP. This application runs on a web server. Would there be anyway to make the HTTP packet being sent by the web server converted by a firewall/shorewall to HTTPS and go to a specific address? I have done some research and looks like HTTPS is essentially exchanging keys (PKI) to establish a tunnel; thus, redirecting port from HTTP to HTTPS would simply not work. Is this true? Have someone dealt or seen this kind of problem and know some hints? Thank you. - Lee --------------------------------- Do you Yahoo!? Get on board. You''re invited to try the new Yahoo! Mail Beta. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Lito Kusnadi wrote:> Hi, > > I have an application where it only speaks HTTP. This application runs > on a web server. Would there be anyway to make the HTTP packet being > sent by the web server converted by a firewall/shorewall to HTTPS and > go to a specific address? I have done some research and looks like > HTTPS is essentially exchanging keys (PKI) to establish a tunnel; > thus, redirecting port from HTTP to HTTPS would simply not work. Is > this true? Have someone dealt or seen this kind of problem and know > some hints?Lito, A firewall won''t do this, and the type of "proxying" you are proposing is akin to what I believe is called "man in the middle" (usually seen in hack attempts). However, having dealt with these types of issues regarding secure proxy authentication (from a proxy to an external auth source), you may be able to change the program (is it a script?) to do https because most scripts in this situation don''t actually have the ability to speak http, but rather access an external lib. I have personally done this with a python script which authenticates squid against an imap server to connect imaps- which was a "stupid easy" task. A better solution, would be to (and this can get hacky) create an ssh tunnel to the remote machine, and run standard http over ssh. This method would remove the need to do https completely, and use ssh for the encryption. The challenge here is keeping the ssh tunnel open, were the connection to be broken due to network conditions. As to how to script such a scheme, that''s out of my league. But using ssh tunnels allow for remote access of all kinds of legacy protocols which may not be considered secure, buy may be useful in moving data around internally. There''s a lot of security issues around doing these things, and you should become as familiar them as possible. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Lito Kusnadi escribió:> Would there be anyway to make the HTTP packet being sent by the web server yup and go to a specific address?gee.. No . You are far away from the solution.. Shorewall HAS NOTHING TO DO, with it. read : http://linuxman.wikispaces.com/PPPPPPS Section "General expectations about Shorewall" and http://www.shorewall.net/Shorewall_Doesnt.html take care. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Hi Michael, The program is not able to send HTTPS request, only HTTP. This is the biggest problem.Another challenge is the other end (server) is a web server too, and it only accepts SSL. But I think you are giving me some points about using Python. So I''ll dig into it. Thank you. Michael Cozzi <cozzi@cozziconsulting.com> wrote: Lito Kusnadi wrote:> Hi, > > I have an application where it only speaks HTTP. This application runs > on a web server. Would there be anyway to make the HTTP packet being > sent by the web server converted by a firewall/shorewall to HTTPS and > go to a specific address? I have done some research and looks like > HTTPS is essentially exchanging keys (PKI) to establish a tunnel; > thus, redirecting port from HTTP to HTTPS would simply not work. Is > this true? Have someone dealt or seen this kind of problem and know > some hints?Lito, A firewall won''t do this, and the type of "proxying" you are proposing is akin to what I believe is called "man in the middle" (usually seen in hack attempts). However, having dealt with these types of issues regarding secure proxy authentication (from a proxy to an external auth source), you may be able to change the program (is it a script?) to do https because most scripts in this situation don''t actually have the ability to speak http, but rather access an external lib. I have personally done this with a python script which authenticates squid against an imap server to connect imaps- which was a "stupid easy" task. A better solution, would be to (and this can get hacky) create an ssh tunnel to the remote machine, and run standard http over ssh. This method would remove the need to do https completely, and use ssh for the encryption. The challenge here is keeping the ssh tunnel open, were the connection to be broken due to network conditions. As to how to script such a scheme, that''s out of my league. But using ssh tunnels allow for remote access of all kinds of legacy protocols which may not be considered secure, buy may be useful in moving data around internally. There''s a lot of security issues around doing these things, and you should become as familiar them as possible. -- Michael Cozzi cozzi@cozziconsulting.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Lito Kusnadi wrote:> Hi Michael, > > The program is not able to send HTTPS request, only HTTP. This is the > biggest problem.Another challenge is the other end (server) is a web > server too, and it only accepts SSL. But I think you are giving me some > points about using Python. So I''ll dig into it.Good grief. Just use http://www.stunnel.org/. ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV
Stephen Warren wrote:> Lito Kusnadi wrote: >> Hi Michael, >> >> The program is not able to send HTTPS request, only HTTP. This is the >> biggest problem.Another challenge is the other end (server) is a web >> server too, and it only accepts SSL. But I think you are giving me some >> points about using Python. So I''ll dig into it. > > Good grief. Just use http://www.stunnel.org/.Good advice. Stunnel is like netcat for SSL - a fantastic tool. It''s probably shipped your Linux distro. Paul ------------------------------------------------------------------------- Take Surveys. Earn Cash. Influence the Future of IT Join SourceForge.net''s Techsay panel and you''ll get the chance to share your opinions on IT & business topics through brief surveys -- and earn cash http://www.techsay.com/default.php?page=join.php&p=sourceforge&CID=DEVDEV