0

I have a few applications that serve HTTP content on localhost. I have installed apache and configured reverse proxy so that apache routes all the traffic to the underlying applications based on URL patterns.

Then I ran cert-bot and installed an SSL certificate from Let's Encrypt.

Only apache knows about SSL and HTTPS.

Is this secure? Am I doing anything wrong?

Is it more secure if my applications handle SSL or can I let apache take care of it?

I know that anyone inside my server can bypass SSL of course. I dont consider that a problem.

Hristo Kolev
  • 103
  • 3
  • 1
    "Is this secure?" is question that is hard to answer on a general level. Try to specify your question. – Tom K. Feb 14 '18 at 08:28
  • Not enough information to tell. Do any applications other than Apache expose ports to the network? Do they allow for file uploads, or for execution of arbitrary commands on the server? What about database access - can any applications exposed through Apache be abused through SQL injection or similar? – Matthew Feb 14 '18 at 08:36
  • My applications do not listen on anything other than localhost. My question was about the security of the connection between the user and the server. The Idea is that I don't want my applications to know about https and certificates or anything like that. Is it more secure if my applications handle SSL or can I let apache take care of it and be done? – Hristo Kolev Feb 14 '18 at 11:56

2 Answers2

2

SSL/TLS is only used to protect the transport of the data between client and server. It solely protects against sniffing or modifying these data during transport. It does not protect against any attacks which do not require sniffing or manipulation of the transport, i.e. attacks like CSRF, SQL injection, password guessing and many more.

Steffen Ullrich
  • 184,332
  • 29
  • 363
  • 424
  • I know. My question wan't very well worded. Is it more secure if my applications handle SSL or can I let apache take care of it? I'm talking about the communication between the client and the server. – Hristo Kolev Feb 14 '18 at 12:01
  • @HristoKolev: So you are now essentially asking for the difference in security between a) Apache terminating the SSL connection from the client vs. b) terminating the SSL connection only at the web application vs. c) having another SSL connection between Apache and web application? Note that b) and c) require the application to be SSL-capable and b) probably not works with Apache in between. And, it might be useful to make your question more clear and show the options similar to what I've described here. – Steffen Ullrich Feb 14 '18 at 14:33
  • I'm asking if there is a problem if HTTPS is available only between the client and apache while the connection between apache and the application remains HTTP. – Hristo Kolev Feb 14 '18 at 14:39
  • @HristoKolev: in this case it is a duplicate to [Encrypt and Authenticate localhost-traffic?](https://security.stackexchange.com/questions/57230/encrypt-and-authenticate-localhost-traffic) and [Is HTTP to localhost safe?](https://security.stackexchange.com/questions/147175/is-http-to-localhost-safe/147178). – Steffen Ullrich Feb 14 '18 at 15:04
1

If your server is using just server certificate and you trust the connection between apache and your application server (for example if apache connects to your application on the same machine or if they're connected physically on the same server rack), then letting apache do SSL decryption is no less safe than dealing it yourself, and it would make for a much simpler application.

If your application need to deal with client certificates then your application usually will still have to be partly involved in the certificate verification, even when you let apache do the actual encryption.

Lie Ryan
  • 31,089
  • 6
  • 68
  • 93