Estoy creando una topología de red de referencia para una aplicación de chat WebSocket en el trabajo, y me gustaría aclarar algo para mi propio entendimiento.
La topología actual implica un proxy inverso entre el cliente y el servidor donde el cliente se conecta directamente al proxy. El backend tiene firewalls que solo permiten conexiones desde el proxy.
El cliente puede ver la dirección del proxy en la fuente de la página o en la consola del navegador. ¿Sería posible para un cliente malintencionado rastrear la dirección del backend y, de ser así, sería útil agregar un segundo proxy para mitigar esto?
EDITAR: Melin preguntó acerca de mi proxy y backend. Estoy usando WAMP para el proxy, principalmente porque se basa en Apache y está fuera de la familiaridad anterior con WAMP antes de graduarme (que fue hace aproximadamente 8 meses). Dentro del módulo de Apache para WAMP, he definido los hosts virtuales que hacen el proxy real, y Apache se ha configurado para escuchar solo en los puertos para estos hosts virtuales. He agregado la configuración en la parte inferior de la publicación, menos las direcciones reales y las rutas utilizadas.
Todo esto se ejecuta en una red interna en el laboratorio, por lo que hay algunos agujeros que no se agregarán en el código de producción, como certificados autofirmados para probar conexiones seguras o deshabilitar Verificación del certificado de backend.
## I've stripped this down to remove the comments, and just include the stuff that's enabled
## The Virtual Hosts are down at the bottom
Listen myServer:8080
Listen myServer:8443
# modules that are enabled
LoadModule access_compat_module modules/mod_access_compat.so
LoadModule actions_module modules/mod_actions.so
LoadModule alias_module modules/mod_alias.so
LoadModule allowmethods_module modules/mod_allowmethods.so
LoadModule asis_module modules/mod_asis.so
LoadModule auth_basic_module modules/mod_auth_basic.so
LoadModule authn_core_module modules/mod_authn_core.so
LoadModule authn_file_module modules/mod_authn_file.so
LoadModule authz_core_module modules/mod_authz_core.so
LoadModule authz_groupfile_module modules/mod_authz_groupfile.so
LoadModule authz_host_module modules/mod_authz_host.so
LoadModule authz_user_module modules/mod_authz_user.so
LoadModule autoindex_module modules/mod_autoindex.so
LoadModule cgi_module modules/mod_cgi.so
LoadModule dir_module modules/mod_dir.so
LoadModule env_module modules/mod_env.so
LoadModule headers_module modules/mod_headers.so
LoadModule include_module modules/mod_include.so
LoadModule isapi_module modules/mod_isapi.so
LoadModule log_config_module modules/mod_log_config.so
LoadModule mime_module modules/mod_mime.so
LoadModule negotiation_module modules/mod_negotiation.so
LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_connect_module modules/mod_proxy_connect.so
LoadModule proxy_http_module modules/mod_proxy_http.so
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
LoadModule rewrite_module modules/mod_rewrite.so
LoadModule setenvif_module modules/mod_setenvif.so
LoadModule socache_shmcb_module modules/mod_socache_shmcb.so
LoadModule ssl_module modules/mod_ssl.so
LoadModule xml2enc_module modules/mod_xml2enc.so
LoadModule php5_module "c:/wamp/bin/php/php5.5.12/php5apache2_4.dll"
ServerName myServer
#
# Deny access to the entirety of your server's filesystem. You must
# explicitly permit access to web content directories in other
# <Directory> blocks below.
#
<Directory />
AllowOverride none
Require all denied
</Directory>
DocumentRoot "c:/wamp/www/"
<Directory "c:/wamp/www/">
#
# Possible values for the Options directive are "None", "All",
# or any combination of:
# Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important. Please see
# http://httpd.apache.org/docs/2.4/mod/core.html#options
# for more information.
#
Options Indexes FollowSymLinks
#
# AllowOverride controls what directives may be placed in .htaccess files.
# It can be "All", "None", or any combination of the keywords:
# AllowOverride FileInfo AuthConfig Limit
#
AllowOverride None
#
# Controls who can get stuff from this server.
#
Require all granted
</Directory>
#
# DirectoryIndex: sets the file that Apache will serve if a directory
# is requested.
#
<IfModule dir_module>
DirectoryIndex index.php index.php3 index.html index.htm
</IfModule>
#
# The following lines prevent .htaccess and .htpasswd files from being
# viewed by Web clients.
#
<Files ".ht*">
Require all denied
</Files>
#
# Customizable error responses come in three flavors:
# 1) plain text 2) local redirects 3) external redirects
#
# Some examples:
ErrorDocument 500 "The server made a boo boo."
#ErrorDocument 404 /missing.html
#ErrorDocument 404 "/cgi-bin/missing_handler.pl"
#ErrorDocument 402 http://www.example.com/subscription_info.html
#
# Secure (SSL/TLS) connections
#Include conf/extra/httpd-ssl.conf
#
# Note: The following must must be present to support
# starting without SSL on platforms with no /dev/random equivalent
# but a statically compiled-in mod_ssl.
#
<IfModule ssl_module>
SSLRandomSeed startup builtin
SSLRandomSeed connect builtin
</IfModule>
#
# uncomment out the below to deal with user agents that deliberately
# violate open standards by misusing DNT (DNT *must* be a specific
# end-user choice)
#
#<IfModule setenvif_module>
#BrowserMatch "MSIE 10.0;" bad_DNT
#</IfModule>
# set up a reverse proxy here inside a virtual host on port 8080
<VirtualHost *:8080>
ServerName proxyserver
# turning off ProxyRequests turns this into a closed server - recommended for security reasons
# ProxyPreserveHost passes the Host: line from the incoming request to the proxied host
# ProxyVia controls the use of the Via: HTTP header. If turned on, each request and reply has a Via: header added for this host
ProxyRequests Off
ProxyPreserveHost On
ProxyVia On
# Anything inside this applies only to matching proxied content
# in this case, it allows connections from everything that connects to this server - could be changed later
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# turn on full logging - not strictly needed, but useful
LogLevel debug
#SSLProxyEngine On
# this is the actual redirection: anything coming in on port 8080 which ends in /chat
# will be redirected to the backend servlet at the following address
<Location /chat>
ProxyPass ws://<Backend:Normal_Port>/path/to/chat
ProxyPassReverse ws://<Backend:Normal_Port>/path/to/chat
</Location>
</VirtualHost>
<VirtualHost *:8443>
ServerName SSLProxyServer
# turning off ProxyRequests turns this into a closed server - recommended for security reasons
# ProxyPreserveHost passes the Host: line from the incoming request to the proxied host
# ProxyVia controls the use of the Via: HTTP header. If turned on, each request and reply has a Via: header added for this host
ProxyRequests Off
ProxyPreserveHost On
ProxyVia On
# give the proxy a 10-minute timeout for development
ProxyTimeout 600
# Anything inside this applies only to matching proxied content
# in this case, it allows connections from everything that connects to this server - could be changed later
# e.g. Deny from all, followed by Allow from frontend.example.com would permit connections only from frontend.example.com
<Proxy *>
Order deny,allow
Allow from all
</Proxy>
# turn on full logging - not strictly needed, but useful
LogLevel debug
# to actually use SSL, turn on the SSL engine!
SSLEngine On
SSLProxyEngine On
# disable cert verification for backend *for development*
# this is due to the backend cert being self-signed during testing
SSLProxyVerify none
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off
# link to the certificate and key for this server
SSLCertificateFile "path\to\certificate"
SSLCertificateKeyFile "path\to\key"
# this is the actual redirection: anything coming in on port 8443 which ends in /chat
# will be redirected to the backend servlet at the following address
<Location /chat>
ProxyPass wss://<Backend:Secure_Port>/path/to/chat
ProxyPassReverse wss://<Backend:Secure_Port>/path/to/chat
</Location>
</VirtualHost>