[mod_cluster-issues] [JBoss JIRA] (MODCLUSTER-417) Obfuscating jvmRoute as to hide topology

[Radoslav Husar (JIRA)]

Radoslav Husar created MODCLUSTER-417:
-----------------------------------------

             Summary: Obfuscating jvmRoute as to hide topology
                 Key: MODCLUSTER-417
                 URL: https://issues.jboss.org/browse/MODCLUSTER-417
             Project: mod_cluster
          Issue Type: Feature Request
      Security Level: Public (Everyone can see)
          Components: Native (httpd modules)
    Affects Versions: 1.2.9.Final, 1.3.0.Final
            Reporter: Radoslav Husar
            Assignee: Jean-Frederic Clere


Feature request from https://github.com/jmcabrera

Hello guys.

First of all, this is a feature request and not a bug.

I would like to "obfuscate" the jvmRoute so that an external attacker cannot "guess" the topology of my internal infrastructure.
The "strong" way would be to have a symmetrical cipher with a configurable key.
mod_cluster could then cipher the jsessionid before exposing it to the external world, and decipher it to recover the jvmRoute and properly redirect the request.
But I guess that this would have very undesirable consequences on performance.
The "weak" way would be just obfuscate, i.e. let's say that the jsessionid is alea + '.' + jvmRoute. We could take a part of the alea to alter the jvmroute in a reversible way (XORing for instance).
Anyhow, the expected effect would be that the jvmroute would be externally different for each and every request.

Unfortunately, I have close to no C skills, hence I cannot make this myself.

(as a side note, coming from mod_jk, I'm quite impressed by the features mod_cluster offers! Thanks for the good work :) )



--
This message was sent by Atlassian JIRA
(v6.2.6#6264)