Re: [off topic] Configuring an IP blind Apache server
Thanks all, rinetd seems the simplest solution. I've already implemented it in fact...I figure if someone wants to guess which port I'm running on so they can have their IP logged I don't mind :) Thanks, -Jon
Re: [off topic] Configuring an IP blind Apache server
On Mon, 1 May 2006, Michael Holstein wrote: The idea is a system wide solution that allows any user group to install any semi-random PHP/MySQL frob without having to hack around trying to find and disable its IP logging. Then do as Dan just suggested and forward it using your firewall .. advantage there is you can still "ban" a user if you see the need by inserting the appropriate DENY rule above your forward one. Note that other "things" in your network may still log the traffic though .. (most hardware firewalls, for example) .. so be sure you know what the end-to-end security is at least as far as your perimeter router.(*) although, be forewarned, at least with the kernel answer above, if the address is on the same machine, you *will* see the source side of the TCP connection. This is a "feature" of BSD's forwarding mechanism -- so rinetd may be better suited for this. I had thought that you simply wanted a web server to not know which address it itself was listening on (which also works for this). -Dan /mike. (*): well .. unless you use AT&T as an ISP, since we know they forward everything to the ($3_letter_agency) anyway. -- "It would be bad." -Egon Spengler, "Ghostbusters" Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [off topic] Configuring an IP blind Apache server
The idea is a system wide solution that allows any user group to install any semi-random PHP/MySQL frob without having to hack around trying to find and disable its IP logging. Then do as Dan just suggested and forward it using your firewall .. advantage there is you can still "ban" a user if you see the need by inserting the appropriate DENY rule above your forward one. Note that other "things" in your network may still log the traffic though .. (most hardware firewalls, for example) .. so be sure you know what the end-to-end security is at least as far as your perimeter router.(*) /mike. (*): well .. unless you use AT&T as an ISP, since we know they forward everything to the ($3_letter_agency) anyway.
Re: [off topic] Configuring an IP blind Apache server
Jonathan D. Proulx wrote: > I'd like a _reverse_ anonymizing proxy, something that blinds Apache > to the incoming IP adresses in client HTTP requests. I run a > webserver with a couple of virtual servers (in the apache sense not > the Xen/VMWare sense) run by different people and I'd like to scrub > the IP info from traffic before Apache gets it so that neither their > vhost configs nor their CMS can log IPs even if they want to. > > It seesm like there should be a way to plub in privoxy or something, > but I can quite think how. Any suggestions or pointers? I was thinking about this problem a while ago and found that a Squid web proxy could be used to answer HTTP requests. Squid would then forward the requests to another proxy (Privoxy) see: http://www.squid-cache.org/Doc/FAQ/FAQ-4.html#ss4.9 There is some discussion of this method and security implications at: http://wiki.noreply.org/noreply/TheOnionRouter/SquidProxy -- Philippe Gauthier <[EMAIL PROTECTED]> signature.asc Description: OpenPGP digital signature
Re: [off topic] Configuring an IP blind Apache server
On Mon, May 01, 2006 at 04:09:28PM -0400, Michael Holstein wrote: :>It seem like there should be a way to plumb in privoxy or something, :>but I can quite think how. Any suggestions or pointers? : :Wouldn't it just be easier to edit your httpd.conf to change the log :format to *not* log the IP address? : :eg : take out the %h (for the IP address) : :LogFormat "%l %u %t \"%r\" %>s %b" common Yes I do that I also redirect error logs to a script that scrubs IPs out since there isn't an Apache directive to do this. But Content Management Systems (CMS), message board software and other such things often do their own logging into their database backends. The idea is a system wide solution that allows any user group to install any semi-random PHP/MySQL frob without having to hack around trying to find and disable its IP logging. -Jon
Re: [off topic] Configuring an IP blind Apache server
On Mon, 1 May 2006, Jonathan D. Proulx wrote: Bind your apache instances to an RFC 1918 address, internally. Use your kernel's ip forwarding functionality, with freebsd this would be done by a rule like "ipfw add 400 fwd 192.168.1.20,80 ip from any to realip 80" Alternatively, stick it behind thomas boutell's excellent rinetd -- either approach will "nat" the request and rewrite the tcp connection without revealing that it's being rewritten. -Dan Hi, My appologies in advance this is clearly off topic, but couldn't think where else to ask...so please reply directly to me. I'd like a _reverse_ anonymizing proxy, something that blinds Apache to the incoming IP adresses in client HTTP requests. I run a webserver with a couple of virtual servers (in the apache sense not the Xen/VMWare sense) run by different people and I'd like to scrub the IP info from traffic before Apache gets it so that neither their vhost configs nor their CMS can log IPs even if they want to. It seesm like there should be a way to plub in privoxy or something, but I can quite think how. Any suggestions or pointers? Obviously running them as hidden services would fix this, but I don't want the services hidden per se. Thanks, -Jon -- "SOY BOMB!" -The Chest of the nameless streaker of the 1998 Grammy Awards' Bob Dylan Performance. Dan Mahoney Techie, Sysadmin, WebGeek Gushi on efnet/undernet IRC ICQ: 13735144 AIM: LarpGM Site: http://www.gushi.org ---
Re: [off topic] Configuring an IP blind Apache server
It seesm like there should be a way to plub in privoxy or something, but I can quite think how. Any suggestions or pointers? Wouldn't it just be easier to edit your httpd.conf to change the log format to *not* log the IP address? eg : take out the %h (for the IP address) LogFormat "%l %u %t \"%r\" %>s %b" common Complete docs : http://httpd.apache.org/docs/1.3/logs.html#accesslog Perhaps I'm missing something, but if all you want to do is have an Apache server that dosen't log what comes in, there are much easier ways than using Privoxy (et.al.) to do it. Cheers, Michael Holstein CISSP GCIA Cleveland State University
[off topic] Configuring an IP blind Apache server
Hi, My appologies in advance this is clearly off topic, but couldn't think where else to ask...so please reply directly to me. I'd like a _reverse_ anonymizing proxy, something that blinds Apache to the incoming IP adresses in client HTTP requests. I run a webserver with a couple of virtual servers (in the apache sense not the Xen/VMWare sense) run by different people and I'd like to scrub the IP info from traffic before Apache gets it so that neither their vhost configs nor their CMS can log IPs even if they want to. It seesm like there should be a way to plub in privoxy or something, but I can quite think how. Any suggestions or pointers? Obviously running them as hidden services would fix this, but I don't want the services hidden per se. Thanks, -Jon
