It just forwards the connection like a reverse proxy, so no MITM is caused. Why would I need to completely disable session cookies?
Anyway... I was thinking about this more, and I remembered that the current scaffolding app's method of preventing security breaches through generic views is by disabling generic views unless you are on localhost (see line 27 of models/db.py in version 1.99.4). Since everything on SSL appears to be coming from localhost while using SSLH, I should disable generic patterns completely. On Monday, February 27, 2012 8:41:30 AM UTC-5, Ross Peoples wrote: > > I would be interested to see if SSH can actually be forwarded without > triggering a main-in-the-middle error. > > I'm not sure on the first question, but I would guess that you would want > to disable everything except your app. > > At the bottom of the db.py model, just put "session.forget(request)". This > will still create cookies, I think but will not actually use them. Not sure > on this one. Maybe someone else has a better answer for turning cookies off > completely. > > In your model, I would also disable anything you don't need: db, mail, > auth, etc. > > On Sunday, February 26, 2012 1:09:21 PM UTC-5, t13one wrote: >> >> I'm thinking about setting up SSLH on my personal server. >> >> From http://freecode.com/projects/sslh: >> ---- >> >> > sslh accepts HTTPS, SSH, OpenVPN, tinc, and XMPP connections on the >> > same port. This makes it possible to connect to any of these servers >> > on port 443 (e.g., from inside a corporate firewall, which almost >> > never blocks port 443) while still serving HTTPS on that port. >> >> In short summary (and to my limited understanding), SSLH works by >> forwarding the connection from the sslh daemon to either the ssh server >> or the web-server (among other options). This means all SSL connections >> will ultimately appear to be connecting to apache/web2py via 127.0.0.1. >> >> Are there any security concerns with this? Should I disable admin and >> appadmin completely? >> >> How are session cookies affected? >> >> Would any other functionality be affected? >> >> > On Sunday, February 26, 2012 1:09:21 PM UTC-5, t13one wrote: >> >> I'm thinking about setting up SSLH on my personal server. >> >> From http://freecode.com/projects/sslh: >> ---- >> >> > sslh accepts HTTPS, SSH, OpenVPN, tinc, and XMPP connections on the >> > same port. This makes it possible to connect to any of these servers >> > on port 443 (e.g., from inside a corporate firewall, which almost >> > never blocks port 443) while still serving HTTPS on that port. >> >> In short summary (and to my limited understanding), SSLH works by >> forwarding the connection from the sslh daemon to either the ssh server >> or the web-server (among other options). This means all SSL connections >> will ultimately appear to be connecting to apache/web2py via 127.0.0.1. >> >> Are there any security concerns with this? Should I disable admin and >> appadmin completely? >> >> How are session cookies affected? >> >> Would any other functionality be affected? >> >>
