[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-417) Obfuscating jvmRoute as to hide topology

Obfuscating jvmRoute as to hide topology ---------------------------------------- Key: MODCLUSTER-417 URL: https://issues.jboss.org/browse/MODCLUSTER-417 Project: mod_cluster Issue Type: Feature Request Security Level: Public(Everyone can see) Components: Native (httpd modules) Affects Versions: 1.3.0.Final, 1.2.9.Final Reporter: Radoslav Husar Assignee: Jean-Frederic Clere Priority: Minor Feature request from https://github.com/jmcabrera Hello guys. First of all, this is a feature request and not a bug. I would like to "obfuscate" the jvmRoute so that an external attacker cannot "guess" the topology of my internal infrastructure. The "strong" way would be to have a symmetrical cipher with a configurable key. mod_cluster could then cipher the jsessionid before exposing it to the external world, and decipher it to recover the jvmRoute and properly redirect the request. But I guess that this would have very undesirable consequences on performance. The "weak" way would be just obfuscate, i.e. let's say that the jsessionid is alea + '.' + jvmRoute. We could take a part of the alea to alter the jvmroute in a reversible way (XORing for instance). Anyhow, the expected effect would be that the jvmroute would be externally different for each and every request. Unfortunately, I have close to no C skills, hence I cannot make this myself. (as a side note, coming from mod_jk, I'm quite impressed by the features mod_cluster offers! Thanks for the good work :) )