1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How do I ensure server anonymity across reverse proxy ?

Discussion in 'Black Hat SEO Tools' started by jesse_pinkman, Oct 28, 2014.

  1. jesse_pinkman

    jesse_pinkman Newbie

    Joined:
    Feb 14, 2013
    Messages:
    13
    Likes Received:
    1
    Consider a hypothetical gambling site that requires the Amazon Web Services infrastructure. It can't be hosted anywhere other than Amazon.

    The site must appear to be located in Sweden or United Arab Emirates. WebCare360 provides a viable Reverse Proxy solution to accomplish this. Web requests are sent to their servers in Sweden or United Arab Emirates, which in turn transparently proxy the requests to my Amazon load balancer. This works, but there's a small glitch which could compromise anonymity.

    There's a very important cookie that the Amazon load balancer sets. The name of the cookie is AWSELB. A sample value for the AWSELB cookie is as follows:

    XXXXX18710B7543D15A56B340XXXXCCFF15E2719EDA62B2DBC5006C5ADFC12C14FC3A0578B5A400BD303377B2970D453XXXXXXX91A921E7987B433E4A67EE6EBFC11BFA4389D54FC980A9CA0XXXXX116BCEC173B9

    Anyone with the technical skills to inspect the HTTP request/response stream would see this cookie and intuit that my site lives at Amazon and furthermore, I suspect that the encrypted cookie value could personally identify the specific Amazon account that is hosting the service! This puts me in a bit of a bind. I can't strip out this cookie as it's required for site functionality but at the same time, it's very existence reveals my identity and defeats the whole purpose of the anonymizing reverse proxy.

    Any ideas on how to solve this? The only solution I can come up with is to intercept the web requests and responses offshore, create an internal translation map, obscure the cookie's name and value when passing it to the client, and UNobscure the value when sending it back to the origin server at Amazon. Presumably I could write this type of code as an ASP.NET handler. But is there an easier way?