Ciphers on a Stand Alone Web App

I am trying to get some firewall rules fixed in a university environment (I don’t control the firewall) so I can use several different ports with a stand alone Web App. To do some load balancing I am running the same app on three different HTTPS ports. I wrote a simple round robin balancer that hits one port then simply redirects to the next Web App in the round robin sequence.

This is a very screen intense app and it just cannot handle the load as a CGI app.

I have adjusted the Windows firewall and everything works fine for the three running Web Apps on the INTERNAL network but the ports I am using are normally blocked by IT from the Internet. I have a public IP for the app that is running on the Abyss Web Server on 80 and 443 (for HTTPS). I need to have these three ports opened up but the IT security guys say I have a problem.

When I put in my request they say that these ciphers are present and need to be disabled:
TLS_RSA_WITH_3DES_EDE_CBC_SHA
TLS_RSA_WITH_DES_CBC_SHA
TLS_RSA_WITH_RC4_128_MD5
TLS_RSA_WITH_RC4_128_SHA
TLS_RSA_WITH_SEED_CBC_SHA
TLS_RSA_WITH_IDEA_CBC_SHA

I am assuming that the Stand Alone Web App is responding on the specified port to these ciphers.

Help and or insight would be appreciated.

Thanks.

Use haproxy as your load balancer and configure the ciphers however you need. It is the best option IMO for what you are doing. It is purpose built for this particular task. I am sure there is at least one if not two threads on it here on the forums and I’m pretty sure there is at least one full writeup on how to configure it linked from one of those threads. It’s not that difficult to figure out from the docs either.

http://www.haproxy.org

BTW, there is a plugin available now that I haven’t tried yet, but will, that allows it to grab Let’s Encrypt certs without dropping your services even if you are using the default ports. Looks like a great solution for easy SSL cert handling as well.

+1 for Kevin.

HAproxy can do this easily - but if you are on Windows server I believe there is built-in load balancing that will also allow you to control accepted cipher suites and prioritize them, etc…

https://msdn.microsoft.com/en-us/library/windows/desktop/mt490158(v=vs.85).aspx

Sadly haproxy does not have a Windows version. :-(( I suppose I could stand up a VM as Linux and redirect to my Windows VM but that would take some IP address re-arranging. I can do it but it is not much fun in this environment.

I looked at haproxy initially before I wrote my little round robin balancer.

Maybe something on Windows exists. I will keep looking.

John,

I will do some digging but the link only talks about desktop versions of Windows. I am using Server 2008 r2.

Mark

The next best solution would be nginx.

It should work in a similar fashion, maybe not quite as polished and capable as haproxy for load balancing, but still should be very good and keep you from having to load cygwin or the linux on windows shell to get haproxy to run under windows.