Orenosp Secure Reverse Proxy 1.2.8a Win + Linux
Orenosp is a secure reverse proxy and load-balancer for HTTP/HTTPS and secure port forwarder for many TCP-based applications. It can be used as an low-cost alternative solution to VPNs using IPSec or PPTP. Orenosp runs on Windows platforms (NT, 2000, XP and 2003), Linux x86, and Mac OS X.
Uses (Examples)
* Securely make available internal web applications to external users.
* Securely make available Remote Desktop access to internal PCs to external users.
Features
* Client-less, trouble-free, restricted VPN access
* A single gate that needs to be configured and monitored.
* Can be placed in DMZ while all other servers can be placed in the LAN.
* It has a LAN monitor in which you can scan your LAN and monitor status of found PCs, and wake up and shut down the PCs (Wake-on-LAN).
* Numerous user authentication schemes supported: File-based, HTTP-based, ActiveDirectory, RADIUS.
* Enables name-based SSL virtual-hosting of backend applications (TLS SNI)
Objectives
At the server side on the Internet, Orenosp serves three objectives.
Protect Web Servers in Your LAN
* SSL-enable any non-SSL http servers
Plug-in solution to SSL-enable any non-SSL HTTP servers or devices (like router or print server) without any reconfiguration of such servers, thus enabling remote management of such a device over the Internet. Can be run on a different machine than HTTP server machine, therefore it can off-load SSL work from the server machine.
* Inspect SSL-encrypted communications at the secure proxy
Regular firewalls are not capable of looking into encrypted channel data because SSL provides end-to-end encryption. Orenosp can accept SSL connection from a client, decrypt the data and apply many security filters and/or input transformations, and then re-encrypt the data to forward it to SSL-protected backend servers.
* Nimda filter
Can filter out any requests that match with user-specified URL patterns. Those requests are discarded and can be optionally logged to a dedicated log file.
* General request filter
You can also do filtering based on many attributes including max length of URL, 8-bit char URL, length of POST data, or chunked encoded request. You can also enforce "no hot link/deep link" policy on your server by checking Referer field in requests.
* User Authentication
There are three authentication methods: form-based authentication using html pages, HTTP basic authentication, and SSL client authentication. The form-based authentication provides you with a set of customizable HTML pages for authentication process.
o Both the form-based authentication and HTTP basic authentication can also use many types of external authentication servers. They can send username and password to an external authentication server to verify passwords. Currently supported authentication services are: HTTP/HTTPS, file-based (passwd.txt file), LDAP (ActiveDirectory) and RADIUS. In the Linux and Mac OS/X versions, you can also use PAM as an external authentication service, enabling you to use various authentication methods supported by PAM.
o Orenosp can pass user credential for HTTP basic auth and form-based auth to backend servers as an HTTP basic user credential. You can effectively convert HTTP basic auth system to a form-based auth system.
* Dynamic IP-based Access Control
Orenosp can restrict client access by client's IP addresses. The list of restricted IP address patterns can be stored in plan text files and can be dynamically modified and reloaded. For example, a CGI program can append to the text file the client IP address that it wants to forbid access. Orenosp then detects file's modification and reloads IP address patterns. Dynamic IP-based Access Control can be enabled in two ways, either per-request access control or per-connection access control. The former method offers flexibility while the latter can be used to thwart SSL handshake DoS attacks.
* Protect backend web servers against overload
Orenosp limits the number of frontend connections to a fixed number. It also has a limit on degree of concurrency in request processing. Orenosp has a keepalive queue and a pending request queue to achive these limits. Orenosp is capable of sustaining 1000 keepalive and request-pending HTTPS(SSL) connections in a mere 5MB memory overhead. If the 1000 HTTPS connections assault a regular OpenSSL based web server, it would result in more than 50MB memory overhead. In case of multi-process based Apache, it would eat even more memory. You can safely let Orenosp handle these front connections, with backend connections being aggregated at the same time.
* Prevent Information Leakage
Some not-well-managed web servers put up information that's not intended for publication on the web. With Orenosp's nimda filter and rewrite filter, you can prevent sensitive information inadvertently being published. See this document for detail.
* Sending Log Records to a Remote Logging Service
Access logging is one of the most crucial information from security standpoint. Orenosp can send log records from access log, performance log and nimda log to a remote Logging Service on an audit log PC in a more protected area. The Logging Service authenticates remote logging connections and also uses SSL to encrypt communication channels. You don't need to worry about punching a hole by opening up an unauthenticated, non-encrypted port on the audit log PC.
Using this feature you can also merge logs from multiple Orenosp/Orenosv services into a single log stream. It will come handy when you have a farm of Orenosp/Orenosv machines.
* Connection Monitoring
With the monitoring module, you can monitor the list of all connections that are going through Orenosp. See example.
Distribute Workload among Multiple Web Servers
* HTTP Request Router and Redirector
You can reverse-proxy to multiple backend servers, based on virtual hostnames, listen IP address/port or virtual paths. You can reverse-proxy WebDAV requests as well. (Orenosp supports WebDav by automatically rewriting DAV request and response bodies.)
You can also do true HTTP redirects, for example, to lead users to secure pages. Because Orenosp resolves the hostname when a request arrives, your web servers (internal PCs) no longer have be assigned static IP addresses.
* Content-Based HTTP Request/Session Routing
You can implement routing rules of HTTP sessions based on your application's data. This is accomplished by your application issueing an HTTP cookie that designates the backend server that this session should be routed to. With this capability, you can implement application-partitioning of servers, while maintaining a single server image.
For example, a large webmail server can partition users into three groups for each of which a dedicated backend server exists. Upon user's login to the webmail, the login server will issue a routing cookie. Orenosp will use that cookie value to determine the destination of the session's requests. Throughout the process, the end user will only see a single URL (virtual server).
* HTTP Load-Balancer for Highly Available Web Sites
With load-balancing, you can distribute HTTP request processing among multiple equivalently configured backend servers. Session persistence is achieved using an HTTP cookie.
All nodes in a load-balanced group are proactively health-checked by ICMP (IP-level "ping") packets. If a node is removed from the network, Orenosp will automatically forward existing connections to other online nodes.
* Content Rewrite Filter
When you put an HTTP server behind a reverse proxy, you can no longer use "absolute URLs" that point to pages on the same reverse-proxied server. Furthermore, if you have multiple HTTP servers whose pages are linked by HTML links, you have to write links in external URLs. However you can no longer access those servers from within the internal network. A solution is to have the reverse proxy to automatically convert internal URLs appearing in HTML pages to external ones. Orenosp has content rewrite filters to do that job. There are two filters, one is simple content rewriting filter, that replaces internal URLs with corresponding external URLs on HTML pages by simple search-and-replace technique. The other filter accepts regular expression patterns and can be used to achieve more complex rewrites, such as adding common headers and footers to HTML pages. As an application of these filters, Orenosp has a feature that automatically rewrites proper URLs in HTML contents. Just turning on this feature, Orenosp will take care of the rest of the configuration.
* Performance Logging
Aside from regular access logging, Orenosp can log response time of requests to backend servers. For example, you can pin-point specific requests that takes more than 2 seconds.
* IPv6 support
Can publish an HTTP server in IPv4 LAN to IPv6 network. The opposite is also possible. With automatic URL rewrite, Orenosp should be able to translate IPv4 addresses appearing in HTML files to IPv6 addresses and vice versa. IPv6 version is a separate binary because it does not support Windows NT 4.0. (orenospXXXi6.exe is an IPv6 version).
Control Internet Resource Usage by Your Web Servers
* A single global IP address
Multiple servers can publish via a single global IP address by using virtual hostnames.
* Aggregating multiple servers into one virtual server
You can also aggregate multiple internal servers into a single external virtual server, differentiating services with distinct paths in URL. This will save you the cost of having multiple domain names.
* Aggregating backend connections
Because Orenosp caches and reuses backend connections (both TCP and SSL connections), it will alleviate connection load on backend servers.
* HTTP content compression
Reduce content size to save bandwidth usage. HTTP compression can be applied to any text files such as HTML/XML whether they are static or dynamically generated. Many dynamically generated, report-type HTML/XML files can achieve significant compression ratio such as 90%. In SSL + compression setup, this can also reduce CPU usage.
* Bandwidth Control (Throttling)
You can control network bandwidth usage of the reverse proxy to the level of virtual hosts and even URL groups.
* Tunneling non-HTTP application protocols through a single HTTPS port
You can securely tunnel some of non-HTTP application protocols using only a single HTTPS port (443). See Secure Port Forwarding.
Other Features
* Orenosp uses OpenSSL Toolkit developed by the OpenSSL Project (http://www.openssl.org/).
* Operates as an NT service.
* Interoperable with major HTTP/1.1 web servers including IIS and Apache.
* Includes very simplified SSL certificate generator (gencert), which is suitable for most simple configurations. For more sophisticated configurations, you can use Openssl utility to manage certificates.
Features Not Planned
* High load environment
For commercial use an SSL appliance is recommended. However Orenosp should be able to handle several hundreds of both SSL and TCP connections.
Usage Examples
Securely Publish OWA (Outlook Web Access) of Exchange Server
You can also load-balance multiple OWA front-end servers.
* Securely Publish WSS (Windows SharePoint Services)
* Securely Publish Windows Remote Desktop, Terminal Services, and VNCs
* Securely Publish Existing Internal Web Servers to the Internet
You can hide internal hostnames and aggregate internal services into one virtual server.
* Make Internet-bound Public Web Servers Available to the Intranet Users
Orenosp can translate external hostnames into internal hostnames.
* Securely Publish Multiple Network Cameras.
Quote:
Size - 7MB
Download - From:
----------------------
VIET SITE COM &
Soft247
Nhấn Thích và G +1 nếu có ích ____________________________
0 nhận xét:
Post a Comment