Radoslav Husar created MODCLUSTER-417:
Summary: Obfuscating jvmRoute as to hide topology
Issue Type: Feature Request
Security Level: Public (Everyone can see)
Components: Native (httpd modules)
Affects Versions: 1.2.9.Final, 1.3.0.Final
Reporter: Radoslav Husar
Assignee: Jean-Frederic Clere
Feature request from https://github.com/jmcabrera
First of all, this is a feature request and not a bug.
I would like to "obfuscate" the jvmRoute so that an external attacker cannot
"guess" the topology of my internal infrastructure.
The "strong" way would be to have a symmetrical cipher with a configurable key.
mod_cluster could then cipher the jsessionid before exposing it to the external world, and
decipher it to recover the jvmRoute and properly redirect the request.
But I guess that this would have very undesirable consequences on performance.
The "weak" way would be just obfuscate, i.e. let's say that the jsessionid
is alea + '.' + jvmRoute. We could take a part of the alea to alter the jvmroute
in a reversible way (XORing for instance).
Anyhow, the expected effect would be that the jvmroute would be externally different for
each and every request.
Unfortunately, I have close to no C skills, hence I cannot make this myself.
(as a side note, coming from mod_jk, I'm quite impressed by the features mod_cluster
offers! Thanks for the good work :) )
This message was sent by Atlassian JIRA