Tuesday, July 31, 2018

apache 2.2 - SSL SNI security concerns



Just wondering if SNI is useful in segregating public content from private content. I managed to configure our server to serve /foo for every client but serve /bar only for clients from the intranet, by specifying the host name that is resolved only from intranet.



So the config goes like: (stripped to very essential part)



NameVirtualHost *:443
# JkWorkersFile must be global so including it here
JkWorkersFile workers.properties



  ServerName public.foo.com
  JkMountFile uriworkermap-pub.properties



  ServerName private-foo
  JkMountFile uriworkermap-priv.properties




  ServerName 10.1.2.3
  JkMountFile uriworkermap-priv.properties



The catch is, if you add that name into your hosts file to resolve to the public IP then SNI will actually resolve handle it the same way as if it were a valid request from the intranet.



I played around the thoughts of using only numeric IP instead of names (e.g. 10.1.2.3) but I presume the same can be tricked if the client has the same IP in their own subnet (e.g. a Linux host that forwards ports to the public IP of my web server.




The node sits behind a firewall on which I don't have influence. It has only one IP (the internal one) but if needed I can probably make it two.



Practical question is: how do you prevent such a leak? By means of htaccess for example? By specifying different IP addresses? Or is there no other way than creating a separate server instance and forgetting SNI?


Answer



If you need to restrict content based on the origin of the site visitors you use that information as the primary access control (and not just the name of the resource you are trying to protect).



With Apache 2.2 that would be the Allow Directive.




  ServerName private-foo

  
    Order Deny,Allow
    Deny from all
    # Allow from the internal subnet 10.1.2.0/24
    Allow from 10.1.2
  
  ...


Often in your scenario a server would have an internal and a public ip-address though and since internal users would come in using that internal IP-address only you would bind the virtual host to only that internal IP e.g. rather than listening to all IP's




Additionally your remark regarding .htaccess triggered my pet peeve, quoted from from the manual on .htaccess files:




You should avoid using .htaccess files completely if you have access to httpd main server config file. Using .htaccess files slows down your Apache http server. Any directive that you can include in a .htaccess file is better set in a Directory block in the main Apache configuration file(s), as it will have the same effect with better performance.



-

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

linux - How to SSH to ec2 instance in VPC private subnet via NAT server

I have created a VPC in aws with a public subnet and a private subnet. The private subnet does not have direct access to external network. S...