Security
No laughing matter
How-tos
Client Certificate Authentication with HAProxy: How to configure
Using client certificates for security is a pretty cool idea! You can protect an entire application or even just a specific Uniform Resource Identifier (URI) to only those that provide a valid client certificate...
WAF
Load Balancing Nginx Web Servers with OWASP Top 10 WAF in Azure
SSL offload is handled by STunnel, while HAProxy handles back-end server re-encryption...
Security
How to stop web form spam — use a simple honey pot trap in ModSecurity...
How frustrating do you find it when hackers or robots fill in your website forms with "Buy Viagra Now!" type spam?..
Security
Stack Clash and Loadbalancer.org
The long and short of it is, there are updates to the Linux kernel and glibc packages which will 'fix' the issue..
How-tos
Transparent vs Explicit proxy — which method should I use?
Different vendors have widely different opinions on which method should be used to deploy web filters or SWGs. Historically, vendors struggled to implement authentication in Transparent mode, and maybe they remember some awkward conversations with customers that chose the wrong method...
Security
Blocking Japan with ModSecurity and Maxmind Lite
The Web Application Firewall is based on ModSecurity which is an open source WAF for Apache, IIS, and Nginx for protecting against a many variety of attacks and allows for HTTP traffic monitoring and logging...
High Availability
Disaster recovery is more important than HTTPS SNI support...
SNI is an extension to the TLS protocol which enables the client to broadcast its hostname when it tries to connect to your server. This allows you to use multiple SSL certificates on a single IP...
Security
New PuTTY vulnerability "vuln-ech-overflow" identified - upgrade to 0.66 to protect your environment
Due to the way that PuTTY uses a signed integer variable to store the number of characters to be erased and there was inadequate checking for overflow, there was the potential for an attacker to corrupt important data in certain circumstances...
Security
Blocking invalid range headers using ModSecurity and/or HAProxy (MS15-034 - CVE-2015-1635)
Anomaly score based blocking is more flexible and effective than simple first error blocking...
Security
Simple Denial of Service DOS attack mitigation using HAProxy
Denial of Service (DOS) attacks can be used to degrade or cripple the functionality of a site...
Security
How do I get an A+ from Qualys SSL, but keep FIPS compliance as well?
Is getting an A+ rating with the Qualys scanner starting to feel a bit like chasing a mythical unicorn? Every time you get close to catching and keeping the beast — it run's away and they change the rules again!..
Security
Shell-shocked by shell shock? I give you "CMD Caret" ^&
There seems to have been so much hype over the recent bash bug, shell shock! And there were all the people in the Microsoft world thinking YES we are so cool we are NOT affected by it!..
Security
Heartbleed 2.0? Not exactly but more OpenSSL issues have been found
Whilst the Heartbleed bug was relatively easy to exploit, the latest batch of bugs are not...
Security
Loadbalancer.org releases patch for the OpenSSL heartbleed vulnerability CVE-2014-0160
To ensure complete protection all SSL certificates that have been used with a vulnerable version of OpenSSL should be regenerated using a new private key...
Security
Why did my Loadbalancer just fail the PCI compliance test?
Let me first say that I'm not really a fan of PCI scanners. It's not so much that I'm anti security scanners but rather that scanning for vulnerabilities based on only the version number a package returns seems rather simplistic to me...
Security
Secure Your Web Servers: SSL Termination and BEAST
The BEAST attack is a practical attack based on a protocol vulnerability and mainly affects the client side...
WAF
For any poor sod who needs to deal with the PCI Data Security Standard (PCI DSS)
Any engineer dealing with PCI DSS compliance issues probably looses a little bit of the joy in life...
HAProxy
Transparent proxy of SSL traffic using Pound to HAProxy backend patch and how-to
I've previously blogged about how to get TPROXY and HAProxy working nicely together, but what if you want to terminate SSL traffic on the load balancer to use HAProxy to insert cookies in the standard HTTP stream to the backend servers?..