Pre-Authentication - How it Works


This setup is based on a reverse-proxy on the Frontend Apache and a backend application on the Backend Apache web server. Pre-Authentication means that only authenticated users will be allowed to reach the Backend Application. Thus, the Frontend Apache must be considered as a guard that will redirect unauthenticated users to it's login service and pass through authenticated users to the Backend Application.

How it Works

If a user clicks on a private, or call it protected URL, the user will be redirected to the login application. The login application is part of the Frontend Apache. If the user enters valid credentials at the login app, the pre-auth service running on the Frontend Apache will grant access and deliver the content from the Backend Apache. If the user enters invalid credentials, the Frontend Apache will not let the user in.

The URL /private is a protected URL. Without being authenticated at the Frontend Apache, it is not possible to access the /private URL.

E-Banking Blueprint

The /private URL is proxyfied to the Backend Apache server. This architecture is commonly seen in e-banking infrastructures. It has one great advantage; the e-banking app will only being requested by authenticated users. Anonymous users or cyber criminals cannot search common vulnerabilities using sqlmap or similar. Such hacking traces will link back to a legitim (may hijacked) user account.

Forensic Readiness

With forensic readiness we want to ensure log file correlation between log files in a n-tier architecture. Correlation based on the timestamp (NTP) is not sufficient. What we need is a per request ID that is being logged to every log file we have. Thus, the web server talking to the client, in our case the Frontent Apache must create such a unique-id and pass it over to the Backend Apache. And this is exactly how the two Apache instances of this LiveCD work together. And this is why you have an Echo Request Application on the Backend Apache. This is the evidence you need to understand, how the unique-id is properly being used.