Basic guide About Explicit SSL bumping

Explicit SSL bumping also known as “SSL interception,” is a feature of some reverse proxies and security appliances that allows the proxy to decrypt, inspect, and re-encrypt SSL/TLS encrypted traffic.

The proxy acts as a man-in-the-middle, decrypting incoming SSL/TLS traffic and re-encrypting it before forwarding it to the destination server. This allows the proxy to inspect and filter the encrypted traffic based on various security policies, such as filtering out malicious traffic, monitoring and controlling data transfers, and enforcing content filtering.

Explicit SSL bumping is typically used in enterprise networks to provide additional security and control over network traffic. However, it can also introduce security risks and violate the privacy of encrypted communication. It’s important to carefully consider the use of explicit SSL bumping and weigh the security benefits against the privacy risks before deploying it in a network.

To enable SSL bump in HAProxy, follow these steps:

Obtain a SSL certificate and key. You can either generate a self-signed certificate or obtain one from a certificate authority.
Create a new HAProxy frontend and backend configuration. In the frontend configuration, specify the SSL certificate and key with the crt and key options, and enable SSL by using the ssl option. In the backend configuration, specify the target servers to which HAProxy will forward requests.
In the frontend configuration, add a reqadd directive to insert a header indicating that SSL bumping is in effect. This header can be used by the backend servers to determine if a request has been SSL-bumped or not.
In the backend configuration, configure the backend servers to validate the header inserted by HAProxy. This can be done by using the http-request set-header directive to add a header indicating that SSL bumping has taken place.
Start or reload HAProxy with the new configuration.
Here’s an example HAProxy configuration that demonstrates SSL bumping:

 
global
        log 127.0.0.1 local0 notice
        maxconn 4096
        user haproxy
        group haproxy

defaults
        log global
        mode http
        option httplog
        option dontlognull
        retries 3
        option redispatch
        timeout connect 5000
        timeout client 50000
        timeout server 50000

frontend http-in
        bind *:80
        mode http
        default_backend servers

frontend https-in
        bind *:443 ssl crt /path/to/cert.pem key /path/to/key.pem
        mode http
        reqadd X-Forwarded-Proto:\ https
        default_backend servers

backend servers
        mode http
        balance roundrobin
        server server1 192.168.1.100:80 check
        server server2 192.168.1.101:80 check
        http-request set-header X-SSL-Bumped true if { hdr(X-Forwarded-Proto) -i https }


About the Author

Trần Huy

View all author's posts

Bài viết khác

Use AWS to deploy your applications and services

Amazon Web Services (AWS) is a cloud computing platform that provides a wide range of services to help businesses and individuals build and deploy applications in the cloud. AWS offers a variety of services such as compute, storage, databases, networking, security, and more. In this guide, we will walk through the steps to get started […]

Use docker to run go project

Docker is a powerful tool that enables developers to create, deploy and run applications in a containerized environment. Using Docker to run Go projects has many advantages, including the ability to isolate your application from the underlying operating system, simplifying the deployment process, and allowing for greater scalability and flexibility. In this guide, we will […]

Install WSL for windows 10

1/ Enable feature Windows Subsystem for Linux Head to Control Panel > Programs > Turn Windows Features On Or Off. Enable the “Windows Subsystem for Linux” option in the list, and then click the “OK” button. Restart computer Now you can type on console: wsl –help 2/ Download ubuntu 18 from Microsoft Store or open […]

Make a binary file or script file run on startup on ubuntu

To make a binary file run on boot, you can create a startup script that will run the binary file when the operating system starts. The exact process for creating a startup script depends on the operating system you’re using. Here’s an example for a Linux operating system using the systemd init system: Create a […]

Explicit ssl bumping with Squid

To perform explicit SSL bumping with Squid, you need to perform the following steps: Generate a SSL certificate and key: You can either generate a self-signed certificate or obtain one from a certificate authority. The certificate and key will be used by Squid to encrypt and decrypt the traffic. Install and configure Squid: Squid is […]

Nodes and Clusters

It is best practice to create clusters with at least three nodes to guarantee reliability and efficiency Every cluster has one master node, which is a unified endpoint within the cluster, and at least two worker nodes Here, we discover some points of nodes and clusters. Let’s begin Nodes and clusters are two of the […]