headers
Jonathan D. Proulx | 1 May 2006 21:52
Picon
Picon
Favicon

[off topic] Configuring an IP blind Apache server

Hi,

My appologies in advance this is clearly off topic, but couldn't think
where else to ask...so please reply directly to me.

I'd like a _reverse_ anonymizing proxy, something that blinds Apache
to the incoming IP adresses in client HTTP requests.  I run a
webserver with a couple of virtual servers (in the apache sense not
the Xen/VMWare sense) run by different people and I'd like to scrub
the IP info from traffic before Apache gets it so that neither their
vhost configs nor their CMS can log IPs even if they want to.

It seesm like there should be a way to plub in privoxy or something,
but I can quite think how.  Any suggestions or pointers?

Obviously running them as hidden services would fix this, but I don't
want the services hidden per se.

Thanks,
-Jon
Permalink | Reply | 7 comments |
headers
Michael Holstein | 1 May 2006 22:09
Picon
Favicon

Re: [off topic] Configuring an IP blind Apache server

> It seesm like there should be a way to plub in privoxy or something,
> but I can quite think how.  Any suggestions or pointers?

Wouldn't it just be easier to edit your httpd.conf to change the log 
format to *not* log the IP address?

eg : take out the %h (for the IP address)

LogFormat "%l %u %t \"%r\" %>s %b" common

Complete docs :

http://httpd.apache.org/docs/1.3/logs.html#accesslog

Perhaps I'm missing something, but if all you want to do is have an 
Apache server that dosen't log what comes in, there are much easier ways 
than using Privoxy (et.al.) to do it.

Cheers,

Michael Holstein CISSP GCIA
Cleveland State University
Permalink | Reply | 3 comments |
headers
Dan Mahoney, System Admin | 1 May 2006 22:15

Re: [off topic] Configuring an IP blind Apache server

On Mon, 1 May 2006, Jonathan D. Proulx wrote:

Bind your apache instances to an RFC 1918 address, internally.

Use your kernel's ip forwarding functionality, with freebsd this would be 
done by a rule like "ipfw add 400 fwd 192.168.1.20,80 ip from any to 
realip 80"

Alternatively, stick it behind thomas boutell's excellent rinetd -- either 
approach will "nat" the request and rewrite the tcp connection without 
revealing that it's being rewritten.

-Dan

> Hi,
>
> My appologies in advance this is clearly off topic, but couldn't think
> where else to ask...so please reply directly to me.
>
> I'd like a _reverse_ anonymizing proxy, something that blinds Apache
> to the incoming IP adresses in client HTTP requests.  I run a
> webserver with a couple of virtual servers (in the apache sense not
> the Xen/VMWare sense) run by different people and I'd like to scrub
> the IP info from traffic before Apache gets it so that neither their
> vhost configs nor their CMS can log IPs even if they want to.
>
> It seesm like there should be a way to plub in privoxy or something,
> but I can quite think how.  Any suggestions or pointers?
>
> Obviously running them as hidden services would fix this, but I don't
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jonathan D. Proulx | 1 May 2006 22:18
Picon
Picon
Favicon

Re: [off topic] Configuring an IP blind Apache server

On Mon, May 01, 2006 at 04:09:28PM -0400, Michael Holstein wrote:
:>It seem like there should be a way to plumb in privoxy or something,
:>but I can quite think how.  Any suggestions or pointers?
:
:Wouldn't it just be easier to edit your httpd.conf to change the log 
:format to *not* log the IP address?
:
:eg : take out the %h (for the IP address)
:
:LogFormat "%l %u %t \"%r\" %>s %b" common

Yes I do that I also redirect error logs to a script that scrubs IPs
out since there isn't an Apache directive to do this.  But Content
Management Systems (CMS), message board software and other such things
often do their own logging into their database backends.

The idea is a system wide solution that allows any user group to
install any semi-random PHP/MySQL frob without having to hack around
trying to find and disable its IP logging.

-Jon
Permalink | Reply | 2 comments |
headers
Philippe Gauthier | 1 May 2006 22:24
Picon
Favicon
Gravatar

Re: [off topic] Configuring an IP blind Apache server

Jonathan D. Proulx wrote:
> I'd like a _reverse_ anonymizing proxy, something that blinds Apache
> to the incoming IP adresses in client HTTP requests.  I run a
> webserver with a couple of virtual servers (in the apache sense not
> the Xen/VMWare sense) run by different people and I'd like to scrub
> the IP info from traffic before Apache gets it so that neither their
> vhost configs nor their CMS can log IPs even if they want to.
> 
> It seesm like there should be a way to plub in privoxy or something,
> but I can quite think how.  Any suggestions or pointers?

I was thinking about this problem a while ago and found that a Squid web proxy
could be used to answer HTTP requests. Squid would then forward the requests to
another proxy (Privoxy) see:

http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.9

There is some discussion of this method and security implications at:

http://wiki.noreply.org/noreply/TheOnionRouter/SquidProxy

--

-- 
Philippe Gauthier <philippe.gauthier <at> deuxpi.ca>
Permalink | Reply | 0 comments |
headers
Michael Holstein | 1 May 2006 22:24
Picon
Favicon

Re: [off topic] Configuring an IP blind Apache server

> The idea is a system wide solution that allows any user group to
> install any semi-random PHP/MySQL frob without having to hack around
> trying to find and disable its IP logging.

Then do as Dan just suggested and forward it using your firewall .. 
advantage there is you can still "ban" a user if you see the need by 
inserting the appropriate DENY rule above your forward one.

Note that other "things" in your network may still log the traffic 
though .. (most hardware firewalls, for example) .. so be sure you know 
what the end-to-end security is at least as far as your perimeter router.(*)

/mike.

(*): well .. unless you use AT&T as an ISP, since we know they forward 
everything to the ($3_letter_agency) anyway.
Permalink | Reply | 1 comment |
headers
Dan Mahoney, System Admin | 1 May 2006 22:32

Re: [off topic] Configuring an IP blind Apache server

On Mon, 1 May 2006, Michael Holstein wrote:

>> The idea is a system wide solution that allows any user group to
>> install any semi-random PHP/MySQL frob without having to hack around
>> trying to find and disable its IP logging.
>
> Then do as Dan just suggested and forward it using your firewall .. advantage 
> there is you can still "ban" a user if you see the need by inserting the 
> appropriate DENY rule above your forward one.
>
> Note that other "things" in your network may still log the traffic though .. 
> (most hardware firewalls, for example) .. so be sure you know what the 
> end-to-end security is at least as far as your perimeter router.(*)

although, be forewarned, at least with the kernel answer above, if the 
address is on the same machine, you *will* see the source side of the TCP 
connection.  This is a "feature" of BSD's forwarding mechanism -- so 
rinetd may be better suited for this.  I had thought that you simply 
wanted a web server to not know which address it itself was listening on 
(which also works for this).

-Dan

>
> /mike.
>
> (*): well .. unless you use AT&T as an ISP, since we know they forward 
> everything to the ($3_letter_agency) anyway.
>
(Continue reading)

Permalink | Reply | 0 comments |
headers
Jonathan D. Proulx | 1 May 2006 22:37
Picon
Picon
Favicon

Re: [off topic] Configuring an IP blind Apache server


Thanks all,

rinetd seems the simplest solution.  I've already implemented it in
fact...I figure if someone wants to guess which port I'm running on
so they can have their IP logged I don't mind :)

Thanks,
-Jon
Permalink | Reply | 0 comments |
headers
Watson Ladd | 2 May 2006 03:34
Picon

Re: FreeCap and a Tor server – good combination?

Because anyone observing the SOCKS server will be able to see what you are doing just as well as if it was your computer.

On 4/28/06, Tor User < toruser256 <at> yahoo.com> wrote:
I'm not clear what you mean by " It loses security as one endpoint is being used", could you expound on it?  In the setup I was describing, the Tor circuits still go through the same number of Tor routers, and since my Tor server is just a middleman, nobody is exiting at the SOCKS server that I used SSH to tunnel to... Basically, my server's connections to other Tor servers are tunneled through SSH to some SOCKS server instead of just going directly to the next Tor router in the circuit. Thanks.


Watson Ladd <watsonbladd <at> gmail.com > wrote:
It loses security as one endpoint is being used. Tor uses multiple endpoints for sucessive connections to avoid tracking a connection.

On 4/27/06, Tor User <toruser256 <at> yahoo.com > wrote:
I've been running an Tor server (middleman only) for a while and I've been wondering about using FreeCap and an account on an SSH server that has a SOCKS proxy to tunnel my Tor server's connections over an SSH tunnel to the SOCKS proxy running on that SSH server.   Hopefully I explained that clearly, if not maybe this will help to visualize it:

TOR Server – FreeCap – SSH Tunnel – SOCKS proxy – [Out to internet]

I have tried testing this and it works.   Clients are able to connect to my TOR server, and in trying it myself there is no noticeable increase in latency (ping time to the SSH server is < 15ms, and the server has a fast CPU and faster network connection).   As far as I can tell, based on netstat and the like, when I client connects to my server, their circuit is built through the SSH tunnel and then to the SOCKS proxy server, and then out on the internet to the next Tor server in the circuit.   When data comes back to my Tor server, it first comes through the SOCKS proxy on to the SSH tunnel, and then to my Tor server, then to the client or other Tor server in the chain.

I get the feeling that this should be more secure because:

My ISP can't monitor my Tor server's outgoing connections.
Even of the SSH/SOCKS server's connection was monitored, other peoples Tor circuits should be mixed in with my Tor server's connections.

Any thoughts on this?

Also, just so there is no confusion, I am an authorized user of the SSH/SOCKS server, and I am not under any bandwidth or CPU usage constraints.   My access to the server is very fast and the tiny bit of latency seems trivial.  I'm only interested in the security implications of this approach.  Thanks!
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.



--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.




--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin
Permalink | Reply | 2 comments |
headers
Tor User | 2 May 2006 17:17
Picon
Favicon

Re: FreeCap and a Tor server – good combination?

Yes, I understand that anyone monitoring the SOCKS server could see my (middleman only) Tor server's connections to other Tor Servers, but wouldn't tunneling through this SSH/SOCKS server mean that an attacker would have to be able to monitor the SOCKS server (to see where my server is connecting to) as well as monitoring my computer (to see where the connections to my server came from)?

Watson Ladd <watsonbladd <at> gmail.com> wrote:

Because anyone observing the SOCKS server will be able to see what you are doing just as well as if it was your computer.

On 4/28/06, Tor User < toruser256 <at> yahoo.com> wrote:
I'm not clear what you mean by " It loses security as one endpoint is being used", could you expound on it?  In the setup I was describing, the Tor circuits still go through the same number of Tor routers, and since my Tor server is just a middleman, nobody is exiting at the SOCKS server that I used SSH to tunnel to... Basically, my server's connections to other Tor servers are tunneled through SSH to some SOCKS server instead of just going directly to the next Tor router in the circuit. Thanks.


Watson Ladd <watsonbladd <at> gmail.com > wrote:
It loses security as one endpoint is being used. Tor uses multiple endpoints for sucessive connections to avoid tracking a connection.

On 4/27/06, Tor User <toruser256 <at> yahoo.com > wrote:
I've been running an Tor server (middleman only) for a while and I've been wondering about using FreeCap and an account on an SSH server that has a SOCKS proxy to tunnel my Tor server's connections over an SSH tunnel to the SOCKS proxy running on that SSH server.   Hopefully I explained that clearly, if not maybe this will help to visualize it:

TOR Server – FreeCap – SSH Tunnel – SOCKS proxy – [Out to internet]

I have tried testing this and it works.   Clients are able to connect to my TOR server, and in trying it myself there is no noticeable increase in latency (ping time to the SSH server is < 15ms, and the server has a fast CPU and faster network connection).   As far as I can tell, based on netstat and the like, when I client connects to my server, their circuit is built through the SSH tunnel and then to the SOCKS proxy server, and then out on the internet to the next Tor server in the circuit.   When data comes back to my Tor server, it first comes through the SOCKS proxy on to the SSH tunnel, and then to my Tor server, then to the client or other Tor server in the chain.

I get the feeling that this should be more secure because:

My ISP can't monitor my Tor server's outgoing connections.
Even of the SSH/SOCKS server's connection was monitored, other peoples Tor circuits should be mixed in with my Tor server's connections.

Any thoughts on this?

Also, just so there is no confusion, I am an authorized user of the SSH/SOCKS server, and I am not under any bandwidth or CPU usage constraints.   My access to the server is very fast and the tiny bit of latency seems trivial.  I'm only interested in the security implications of this approach.  Thanks!
Love cheap thrills? Enjoy PC-to-Phone calls to 30+ countries for just 2¢/min with Yahoo! Messenger with Voice.



--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.



--
"Those who would give up Essential Liberty to purchase a little Temporary Safety deserve neither  Liberty nor Safety."
-- Benjamin Franklin

Yahoo! Mail goes everywhere you do. Get it on your phone.
Permalink | Reply | 1 comment |

Gmane