Radoslav Husar created MODCLUSTER-417: ----------------------------------------- Summary: Obfuscating jvmRoute as to hide topology Key: MODCLUSTER-417 URL: https://issues.jboss.org/browse/MODCLUSTER-417 Project: mod_cluster Issue Type: Feature Request Security Level: Public (Everyone can see) Components: Native (httpd modules) Affects Versions: 1.2.9.Final, 1.3.0.Final Reporter: Radoslav Husar Assignee: Jean-Frederic Clere Feature request from https://github.com/jmcabrera Hello guys. First of all, this is a feature request and not a bug. I would like to "obfuscate" the jvmRoute so that an external attacker cannot "guess" the topology of my internal infrastructure. The "strong" way would be to have a symmetrical cipher with a configurable key. mod_cluster could then cipher the jsessionid before exposing it to the external world, and decipher it to recover the jvmRoute and properly redirect the request. But I guess that this would have very undesirable consequences on performance. The "weak" way would be just obfuscate, i.e. let's say that the jsessionid is alea + '.' + jvmRoute. We could take a part of the alea to alter the jvmroute in a reversible way (XORing for instance). Anyhow, the expected effect would be that the jvmroute would be externally different for each and every request. Unfortunately, I have close to no C skills, hence I cannot make this myself. (as a side note, coming from mod_jk, I'm quite impressed by the features mod_cluster offers! Thanks for the good work :) ) -- This message was sent by Atlassian JIRA (v6.2.6#6264)