On Tue, Mar 1, 2011 at 2:21 AM, bing <span dir="ltr"><<a href="mailto:bingb@tcsaa.com">bingb@tcsaa.com</a>></span> wrote:<br><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff" text="#000000"><div class="im">
On 2/28/2011 10:36 PM, Scott Gifford wrote:
<blockquote type="cite">On Mon, Feb 28, 2011 at 4:27 PM,</blockquote></div></div></blockquote><div>[ ... ] </div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;">
<div bgcolor="#ffffff" text="#000000"><div class="im"><blockquote type="cite"><div><div><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0pt 0pt 0pt 0.8ex;border-left:1px solid rgb(204, 204, 204);padding-left:1ex">
What doesn't work is the untangle server shows no scanning
activity when I access the web pages. I think the path
webserver->untangle->webserver does not trigger the
scanning in untangle because the traffic it sees is from
an internal ip going to the same internal ip.<br>
</blockquote>
<div><br>
</div>
<div>Interesting. Can you put another Web server box
outside of Untangle to decrypt the traffic, then pass it
through as normal? That could help with performance as
well. Or use a second network connection to pass the
traffic back out to Untangle's external interface?</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote></div>
I'd try that if I had another ip address. Also, putting a box in
front of the firewall sounds dangerous.</div></blockquote><div><br></div><div>It's true there's some risk to this approach. You would want to be very careful in locking the box down, so nothing is exposed apart from the service you are offering. Fortunately Linux includes a quite powerful firewall tool, so it's pretty straightforward to do this. Keep in mind that Untangle itself is a Linux server, so with careful configuration you should be able to make your system at least as secure as that server.</div>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex;"><div bgcolor="#ffffff" text="#000000"><div class="im"><blockquote type="cite"><div><div><div class="gmail_quote"><div>
Also, do you find that stunnel is able to work reliably
doing HTTPS in this way? My recollection is that there is
some difficulty with redirects generated by the Web
server, but perhaps something has changed.</div>
<div><br>
</div>
</div>
</div>
</div>
</blockquote></div>
My website is currently pretty simple. Maybe I'll start seeing
problems when the site gets going for real. Hope not!<br></div></blockquote><div><br></div><div>The trick can be on redirects IIRC, so you might want to test these. Using a dedicated SSL server in front of a Web server is not uncommon, if it doesn't work I bet a bit of Web searching could turn up a workable solution.</div>
<div><br></div><div>Good luck!</div><div><br></div><div>------Scott.</div><div><br></div></div>