After contacting another organization that was leaking auth, they had to set the following on their ASA as the virtual http command didn't work for them. From the Cisco docs....
If you use HTTP authentication without using the aaa authentication secure-http-client command, the username and password are sent in clear text to the destination web server, and not just to the AAA server. For example, if you authenticate inside users when they access outside web servers, anyone on the outside can learn valid usernames and passwords. We recommend that you use the aaa authentication secure-http-client command whenever you enable HTTP authentication
Add the following command to the PIX/ASA Firewall:
aaa authentication secure-http-client
Cisco Reference Doc: http://www.cisco.com/en/US/docs/security/asa/asa70/configuration/guide/fwaaa.html#wp1051298
Thursday, January 24, 2008
Friday, January 11, 2008
mod_proxy_balancer and IIS session affinity one small step
I recently need to configure a load balanced apache reverse proxy with two IIS servers on the backend. I found this wonderful link on google with instructions on how to do just that. I only have one small correction to the wonderful information located at
http://macacochefe.blogspot.com/2007/08/iis-creating-cookie-affinity-load.html
6 – Type “mycluster.node1; path=/;” in the Custom Header Value
In his example should be...
6 – Type “BALANCEID=mycluster.node1; path=/;” in the Custom Header Value
Additionally in the past when I have seen auth leaked to my webservers they normally ignore Auth string and server up the content. Apache will issue a 401 Authorization required even if no type of authentication is required and or configured for that site. If you are running a reverse proxy that does not require auth you can set the following in your virtual server config to prevent this behavior. It is probably overkill but it works.
RequestHeader set REMOTE_USER ""
RequestHeader set X-HTTP_AUTHORIZATION ""
RequestHeader set HTTP_AUTHORIZATION ""
RequestHeader set AUTHORIZATION ""
http://macacochefe.blogspot.com/2007/08/iis-creating-cookie-affinity-load.html
6 – Type “mycluster.node1; path=/;” in the Custom Header Value
In his example should be...
6 – Type “BALANCEID=mycluster.node1; path=/;” in the Custom Header Value
Additionally in the past when I have seen auth leaked to my webservers they normally ignore Auth string and server up the content. Apache will issue a 401 Authorization required even if no type of authentication is required and or configured for that site. If you are running a reverse proxy that does not require auth you can set the following in your virtual server config to prevent this behavior. It is probably overkill but it works.
RequestHeader set REMOTE_USER ""
RequestHeader set X-HTTP_AUTHORIZATION ""
RequestHeader set HTTP_AUTHORIZATION ""
RequestHeader set AUTHORIZATION ""
Additional info on proxies behaving badly.
I have worked with two organizations now that are using websense in conjunction with a pix firewall and aaa auth. If your organization is configured in such a scenario it is imperative that you specify the virtual http parameter as your users browsers might cache auth and leak it to external websites.
http://www.cisco.com/warp/public/110/atp52.html#virtual_http
http://www.cisco.com/warp/public/110/atp52.html#virtual_http
Subscribe to:
Posts (Atom)
