Is there a way to disable weak and medium ciphers suites for https, with the standalone Play Framework server?
Couldn't find anything about it.
The intention of the standalone server is not to deal with https traffic. The most common pattern is to use something like lighttpd, nginx or apache as a reverse proxy and offload the https processing to that.
Therefore, your question is more suited to whether it is possible to do what you need in one of the above http servers.
In Play 2.3, it is possible to do this with the AlgorithmChecker, and the AlgorithmChecker can be set up from a custom SSLEngine provider.
https://www.playframework.com/documentation/2.3.x/ConfiguringHttps
https://github.com/playframework/playframework/blob/2.3.x/framework/src/play-ws/src/main/scala/play/api/libs/ws/ssl/AlgorithmChecker.scala
Related
The use of SSLv3.0/TLSv1.0 in combination with certain encryption techniques (CBC block
ciphers) may allow for an attacker to predict the so-called Initialization Vector of subsequent SSL packets. Using this information the attacker can access the secure session of another user. This attack, named BEAST (Browser Exploit Against SSL/TLS), is aimed at the user’s browser and not at the web server. Nevertheless, it is possible to take countermeasures at the server side as well to prevent a successful attack.
The complete solution to this problem is disabling or deprioritizing the support for
vulnerable encryption ciphers (CBC block ciphers) when using SSLv3.0/TLSv1.0. Commonly, this can be achieved by prioritizing RC4 ciphers in the cipher negotiation process.
For Apache web servers that support SSLv3.0/TLSv1.0 this can be configured by adding the
following configuration:
SSLProtocol All –SSlv2
SSLHonorCipherOrder On
SSLCipherSuite RC4-SHA:HIGH:!ADH
For Apache web servers that support SSLv3.1/TLSv1.1 and higher, it is recommended to use the following configuration:
SSLProtocol All –SSlv2
SSLHonorCipherOrder On
SSLCipherSuite ECDHE-RSA-AES256-SHA384:AES256-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH:!AESGCM
As far as I know, JBoss 7 is based on a version of Apache that supports SSLv3.1/TLSv1.1 (maybe I am wrong), so the second alternative can be applied to JBoss 7.
My question is: Where/How should I configure it?
Dont paranoid with beast attack. According to this Oracle fix the issue, its not related directly with JBoss its an JVM issue. As stated here its hard to apply beast attack in real world. Just make sure that your JVM and JBoss is up-to-date. If you have still question in your mind its best practice to run JBoss behind a reverse proxy such as apache or nginx.
I am currently using lighty as a load-balancing reverse-proxy for two different webapps running on a small farm of HTTP servers:
roundrobbin(URL_1) => Server_Group_1
roundrobbin(URL_2) => Server_Group_2
I want to convert the HTTP servers to HTTPS servers. URL_1 has CERT_1 and URL_2 has CERT_2.
Unlike many people, I do not want to serve certificates from the front-end proxy. I want the front-end proxy to pass the HTTPS requests to secondary proxies: Proxy_1 (serves CERT_1) and Proxy_2 (serves CERT_2).
This should be possible with SNI (Server Name Indication). But everything I have read about SNI gives the example of front-end proxy serving both certs. I do not want to put both of my certs on the fron-end proxy. Call me crazy, but I actually want to hold the certs closer to the apps.
This might seem like a lot of trouble for two URLs. It is. My real case involves dozens of URLs. So it might might seem silly not to store all the certs in one place. But there are 'organizational considerations' which make it advantageous to administer them separately.
So basically, I want to use SNI for pure forwarding and defer SSL termination to downstream.
Thanks for reading. I expect to learn a lot from this!
What you're trying to do doesn't rely on an HTTP reverse proxy but on a reverse proxy at the TCP connection level, with the additional capability of being able to recognise an SSL/TLS Client Hello, look for the Server Name extension and dispatch accordingly.
I realise this isn't quite the answer you're looking for, but I wouldn't look at HTTP servers for this.
It looks like this project might be able to do this (I haven't tried).
My client ask me to do reverse ssl on his website. But i'm new on this term. Can anyone help me about this.
Please describe or refer how to do it.
Check out this wiki article.
In the case of secure websites, the SSL encryption is sometimes not
performed by the web server itself, but is instead offloaded to a
reverse proxy that may be equipped with SSL acceleration hardware.
"Doing" reverse SSL means choosing a system/server and configuring it. You should start by asking your client whether they already have a reverse proxy in place or if one needs to be set up.
So setting up reverse SSL (like standard SSL) should not impact your web site's design, the backing code and data store etc. It is Transport Level Security (TLS) and might actually be outside the bounds of the contract with your client.
One use case would be running Apache Tomcat behind an Apache Web Server which handles SSL and acts as reverse proxy. Your client should specify more specifically.
I have an HTTP server which is in our internal network and accessible only from inside it. I would like to put another server that would listen to an HTTPS port accessible from outside, and forward the requests to that HTTP server (and send back the responses via HTTPS). I know that there are several ways to do this with some programming involved (and I myself made a temporary solution with Tomcat and a very simple servlet I wrote), but is there a way to do the same just plugging parts already made (like Apache + modules)?
This is the sort of use-case that stunnel is designed for. There is a specific example of using stunnel to wrap an HTTP server.
You should consider whether this is really a good idea, though. Web applications designed for use inside a corporate firewall are often fairly lax about security. Merely encrypting the connections prevents casual eavesdropping, but does not secure the site. If an attacker finds your outward facing server and starts connecting to it, they can still try to find exploitable flaws in the web service (SQL injection, cross-site scripting, etc).
With Apache look into mod_proxy.
Apache 2.2 mod_proxy docs
Apache 2.0 mod_proxy docs
I have been looking around to figure out how to configure Glassfish front ended with Apache. And most of the tutorials using the load balancing plug in is making me enable SSL on Apache. I am trying to understand the connection. I should be able to do non SSL communications when I dont have a need for SSL.
There are several blog posts showing how you can use Apache in front of Glassfish. There are several options and depending on your needs, different strategies might be the most appropriate.
I've used Apache with mod_jk which forwards requests to Glassfish - both https and regular http. Lots of good references here.
It's possible to use other modules in Apache also like mod_proxy, but again the requirements you have will flesh out the most appropriate.
Glassfish also have pretty good http engine inside of it where you can configure virtual hosts like in apache. If the load on the Glassfish server isn't to big, you might consider just using Glassfish without anything in front of it.
You can also use the Sun Java System Web Server SJSWS instead of Apache. Despite it's atrocious name, it is just Sun's web server (free to use). It can be used as a reverse proxy (PDF). The SJWS/Glassfish combination is presumably tested really well by Sun.