I should read the docs... I know... but the quick question is why all connection appear from localhost? With proper ip header rewriting rules that should not happen.
mic Il 01 marzo 2012 04:49, drelyn86 <drelki...@gmail.com> ha scritto: > It just forwards the connection like a reverse proxy, so no MITM is caused. > Why would I need to completely disable session cookies? > > Anyway... I was thinking about this more, and I remembered that the current > scaffolding app's method of preventing security breaches through generic > views is by disabling generic views unless you are on localhost (see line 27 > of models/db.py in version 1.99.4). Since everything on SSL appears to be > coming from localhost while using SSLH, I should disable generic patterns > completely. > > > On Monday, February 27, 2012 8:41:30 AM UTC-5, Ross Peoples wrote: >> >> I would be interested to see if SSH can actually be forwarded without >> triggering a main-in-the-middle error. >> >> I'm not sure on the first question, but I would guess that you would want >> to disable everything except your app. >> >> At the bottom of the db.py model, just put "session.forget(request)". This >> will still create cookies, I think but will not actually use them. Not sure >> on this one. Maybe someone else has a better answer for turning cookies off >> completely. >> >> In your model, I would also disable anything you don't need: db, mail, >> auth, etc. >> >> On Sunday, February 26, 2012 1:09:21 PM UTC-5, t13one wrote: >>> >>> I'm thinking about setting up SSLH on my personal server. >>> >>> From http://freecode.com/projects/sslh: >>> ---- >>> >>> > sslh accepts HTTPS, SSH, OpenVPN, tinc, and XMPP connections on the >>> > same port. This makes it possible to connect to any of these servers >>> > on port 443 (e.g., from inside a corporate firewall, which almost >>> > never blocks port 443) while still serving HTTPS on that port. >>> >>> In short summary (and to my limited understanding), SSLH works by >>> forwarding the connection from the sslh daemon to either the ssh server >>> or the web-server (among other options). This means all SSL connections >>> will ultimately appear to be connecting to apache/web2py via 127.0.0.1. >>> >>> Are there any security concerns with this? Should I disable admin and >>> appadmin completely? >>> >>> How are session cookies affected? >>> >>> Would any other functionality be affected? >> >> >> On Sunday, February 26, 2012 1:09:21 PM UTC-5, t13one wrote: >>> >>> I'm thinking about setting up SSLH on my personal server. >>> >>> From http://freecode.com/projects/sslh: >>> ---- >>> >>> > sslh accepts HTTPS, SSH, OpenVPN, tinc, and XMPP connections on the >>> > same port. This makes it possible to connect to any of these servers >>> > on port 443 (e.g., from inside a corporate firewall, which almost >>> > never blocks port 443) while still serving HTTPS on that port. >>> >>> In short summary (and to my limited understanding), SSLH works by >>> forwarding the connection from the sslh daemon to either the ssh server >>> or the web-server (among other options). This means all SSL connections >>> will ultimately appear to be connecting to apache/web2py via 127.0.0.1. >>> >>> Are there any security concerns with this? Should I disable admin and >>> appadmin completely? >>> >>> How are session cookies affected? >>> >>> Would any other functionality be affected?
