Orenosp Secure Reverse Proxy

If you need a simple and easy way of protecting remote desktop over a public network, please look at gtOrenoPC instead.

Introduction

With broadband prices dropping and becoming ubiquitous, the demand for remote access continues to grow even in SOHOs and households. However, most current products for home routers/firewalls, PC applications and web-enabled electronics don't offer secure remote access.

Orenosp protects and enables secure remote access of the following applications and servers with use of integrated security facility (user authentication, access authorization, access logging, and channel encryption):

• Web servers and various web-enabled appliances
• Remote PC access (Windows XP Remote Desktop, VNC, etc)

• Using multiple virtual hosts
• Using a single hostname
• Using load-balanced group of servers

Note: ordinary (forward) proxies are deployed at client side, but a reverse proxy is deployed at server side.

You can also use Orenosp to build a small-scale SSL VPN gateway that enables secure and low cost remote access to your small office. See Secure Port Forwarding.

Objectives

Protect Web Servers in Your LAN

• SSL-enable any non-SSL http servers
  Plug-in solution to SSL-enable any non-SSL HTTP servers or devices (like router or print server) without any reconfiguration of such servers, thus enabling remote management of such a device over the Internet. Can be run on a different machine than HTTP server machine, therefore it can off-load SSL work from the server machine.
  
• Inspect SSL-encrypted communications at the secure proxy
  Regular firewalls are not capable of looking into encrypted channel data because SSL provides end-to-end encryption. Orenosp can accept SSL connection from a client, decrypt the data and apply many security filters and/or input transformations, and then re-encrypt the data to forward it to SSL-protected backend servers.
• Nimda filter
  Can filter out any requests that match with user-specified URL patterns. Those requests are discarded and can be optionally logged to a dedicated log file.
• General request filter
  You can also do filtering based on many attributes including max length of URL, 8-bit char URL, length of POST data, or chunked encoded request. You can also enforce "no hot link/deep link" policy on your server by checking Referer field in requests.
• User Authentication
  There are three authentication methods: form-based authentication using html pages, HTTP basic authentication, and SSL client authentication. The form-based authentication provides you with a set of customizable HTML pages for authentication process.
  • Both the form-based authentication and HTTP basic authentication can also use many types of external authentication servers. They can send username and password to an external authentication server to verify passwords. Currently supported authentication services are: HTTP/HTTPS, file-based (passwd.txt file), LDAP (ActiveDirectory) and RADIUS. In the Linux and Mac OS/X versions, you can also use PAM as an external authentication service, enabling you to use various authentication methods supported by PAM.
  • Orenosp can pass user credential for HTTP basic auth and form-based auth to backend servers as an HTTP basic user credential. You can effectively convert HTTP basic auth system to a form-based auth system.
• Dynamic IP-based Access Control
  Orenosp can restrict client access by client's IP addresses. The list of restricted IP address patterns can be stored in plan text files and can be dynamically modified and reloaded. For example, a CGI program can append to the text file the client IP address that it wants to forbid access. Orenosp then detects file's modification and reloads IP address patterns. Dynamic IP-based Access Control can be enabled in two ways, either per-request access control or per-connection access control. The former method offers flexibility while the latter can be used to thwart SSL handshake DoS attacks.
• Protect backend web servers against overload
  Orenosp limits the number of frontend connections to a fixed number. It also has a limit on degree of concurrency in request processing. Orenosp has a keepalive queue and a pending request queue to achive these limits. Orenosp is capable of sustaining 1000 keepalive and request-pending HTTPS(SSL) connections in a mere 5MB memory overhead. If the 1000 HTTPS connections assault a regular OpenSSL based web server, it would result in more than 50MB memory overhead. In case of multi-process based Apache, it would eat even more memory. You can safely let Orenosp handle these front connections, with backend connections being aggregated at the same time.
• Prevent Information Leakage
  Some not-well-managed web servers put up information that's not intended for publication on the web. With Orenosp's nimda filter and rewrite filter, you can prevent sensitive information inadvertently being published. See this document for detail.
• Sending Log Records to a Remote Logging Service
  Access logging is one of the most crucial information from security standpoint. Orenosp can send log records from access log, performance log and nimda log to a remote Logging Service on an audit log PC in a more protected area. The Logging Service authenticates remote logging connections and also uses SSL to encrypt communication channels. You don't need to worry about punching a hole by opening up an unauthenticated, non-encrypted port on the audit log PC.
  Using this feature you can also merge logs from multiple Orenosp/Orenosv services into a single log stream. It will come handy when you have a farm of Orenosp/Orenosv machines.
• Connection Monitoring
  With the monitoring module, you can monitor the list of all connections that are going through Orenosp. See example.

Distribute Workload among Multiple Web Servers

• HTTP Request Router and Redirector
  You can reverse-proxy to multiple backend servers, based on virtual hostnames, listen IP address/port or virtual paths. You can reverse-proxy WebDAV requests as well. (Orenosp supports WebDav by automatically rewriting DAV request and response bodies.)
  You can also do true HTTP redirects, for example, to lead users to secure pages. Because Orenosp resolves the hostname when a request arrives, your web servers (internal PCs) no longer have be assigned static IP addresses.
• Content-Based HTTP Request/Session Routing
  You can implement routing rules of HTTP sessions based on your application's data. This is accomplished by your application issueing an HTTP cookie that designates the backend server that this session should be routed to. With this capability, you can implement application-partitioning of servers, while maintaining a single server image.
  For example, a large webmail server can partition users into three groups for each of which a dedicated backend server exists. Upon user's login to the webmail, the login server will issue a routing cookie. Orenosp will use that cookie value to determine the destination of the session's requests. Throughout the process, the end user will only see a single URL (virtual server).
• HTTP Load-Balancer for Highly Available Web Sites
  With load-balancing, you can distribute HTTP request processing among multiple equivalently configured backend servers. Session persistence is achieved using an HTTP cookie.
  All nodes in a load-balanced group are proactively health-checked by ICMP (IP-level "ping") packets. If a node is removed from the network, Orenosp will automatically forward existing connections to other online nodes.
• Content Rewrite Filter
  When you put an HTTP server behind a reverse proxy, you can no longer use "absolute URLs" that point to pages on the same reverse-proxied server. Furthermore, if you have multiple HTTP servers whose pages are linked by HTML links, you have to write links in external URLs. However you can no longer access those servers from within the internal network. A solution is to have the reverse proxy to automatically convert internal URLs appearing in HTML pages to external ones. Orenosp has content rewrite filters to do that job. There are two filters, one is simple content rewriting filter, that replaces internal URLs with corresponding external URLs on HTML pages by simple search-and-replace technique. The other filter accepts regular expression patterns and can be used to achieve more complex rewrites, such as adding common headers and footers to HTML pages. As an application of these filters, Orenosp has a feature that automatically rewrites proper URLs in HTML contents. Just turning on this feature, Orenosp will take care of the rest of the configuration.
• Performance Logging
  Aside from regular access logging, Orenosp can log response time of requests to backend servers. For example, you can pin-point specific requests that takes more than 2 seconds.
• IPv6 support
  Can publish an HTTP server in IPv4 LAN to IPv6 network. The opposite is also possible. With automatic URL rewrite, Orenosp should be able to translate IPv4 addresses appearing in HTML files to IPv6 addresses and vice versa. IPv6 version is a separate binary because it does not support Windows NT 4.0. (orenospXXXi6.exe is an IPv6 version).

Control Internet Resource Usage by Your Web Servers

• A single global IP address
  Multiple servers can publish via a single global IP address by using virtual hostnames.
• Aggregating multiple servers into one virtual server
  You can also aggregate multiple internal servers into a single external virtual server, differentiating services with distinct paths in URL. This will save you the cost of having multiple domain names.
• Aggregating backend connections
  Because Orenosp caches and reuses backend connections (both TCP and SSL connections), it will alleviate connection load on backend servers.
• HTTP content compression
  Reduce content size to save bandwidth usage. HTTP compression can be applied to any text files such as HTML/XML whether they are static or dynamically generated. Many dynamically generated, report-type HTML/XML files can achieve significant compression ratio such as 90%. In SSL + compression setup, this can also reduce CPU usage.
• Bandwidth Control (Throttling)
  You can control network bandwidth usage of the reverse proxy to the level of virtual hosts and even URL groups.
• Tunneling non-HTTP application protocols through a single HTTPS port
  You can securely tunnel some of non-HTTP application protocols using only a single HTTPS port (443). See Secure Port Forwarding.

Other Features

Orenosp uses OpenSSL Toolkit developed by the OpenSSL Project (http://www.openssl.org/).

• Operates as an NT service.
• Interoperable with major HTTP/1.1 web servers including IIS and Apache.
• Includes very simplified SSL certificate generator (gencert), which is suitable for most simple configurations. For more sophisticated configurations, you can use Openssl utility to manage certificates.

• High load environment
  For commercial use an SSL appliance is recommended. However Orenosp should be able to handle several hundreds of both SSL and TCP connections.

Usage Examples

• Securely Publish OWA (Outlook Web Access) of Exchange Server
  You can also load-balance multiple OWA front-end servers.
• Securely Publish WSS (Windows SharePoint Services)
  
• Securely Publish Windows Remote Desktop, Terminal Services, and VNCs
• Securely Publish Existing Internal Web Servers to the Internet
  You can hide internal hostnames and aggregate internal services into one virtual server.
• Make Internet-bound Public Web Servers Available to the Intranet Users
  Orenosp can translate external hostnames into internal hostnames.
• Securely Publish Multiple Network Cameras.

Latest Version

Orenosp Secure Reverse Proxy is released as a shareware product from Orenosv.com.

• New: Orenosp will support TLS Server Name Indication, which is required for implementing named-based SSL virtual servers. Currently, it is built in a separate Orenosp package that is based on openssl 0.9.9. You can download this version from here.

development versions are here
early alpha versions are here

Required software other than Orenosp

• Orenosv-enhanced rotatelogs
  This is an enhanced version of Apache rotatelogs. If you need to rotate log and trace files, you will need this.
• RBP : Orenosp/Orenosv compatible logging program
  If you will use remote logging feature, you will need this.

1. When using orenosp-provided test certificate
   [Intended only for testing within your LAN]
   No additional software required.
2. When using a self-issued certificate
   a) gencert.exe included in Orenosp.
   No additional software required.
   a) Kousec Server Certificate Manager - Basic Edition
   This software is a server certificate lifecycle management tool for both self-issued certificates (private CA built-in) and commercial CA's certificates.
   c) openssl.exe from Openssl pacakge
   For sophisticated configurations only.
   You can download openssl.exe utility program of Openssl 0.9.7b from here.
3. When using a certificate signed by a commercial CA
   [Recommended for security]
   a) Kousec Server Certificate Manager - Basic Edition
   This software is a server certificate lifecycle management tool for both self-issued certificates (private CA built-in) and commercial CA's certificates.
   b) Openssl utility program (openssl.exe)
   Procedure to obtain a certificate is similar to that Apache+mod_ssl case. We have instructions document for Orenosp.

Documents

System Requirements

• Windows NT 4.0 SP6a
• Windows 2000 SP1 or later
• Windows XP (for SP2 please see here)
• Windows Server 2003
• Linux x86 (kernel 2.4 or higher)
• Mac OS X 10.3.x

Discussion forum

Customization and Commercial Licensing

Copyright