Details
-
Feature Request
-
Resolution: Won't Do
-
Minor
-
None
-
1.3.0.Final, 1.2.9.Final
-
None
Description
Feature request from https://github.com/jmcabrera
Hello guys.
First of all, this is a feature request and not a bug.
I would like to "obfuscate" the jvmRoute so that an external attacker cannot "guess" the topology of my internal infrastructure.
The "strong" way would be to have a symmetrical cipher with a configurable key.
mod_cluster could then cipher the jsessionid before exposing it to the external world, and decipher it to recover the jvmRoute and properly redirect the request.
But I guess that this would have very undesirable consequences on performance.
The "weak" way would be just obfuscate, i.e. let's say that the jsessionid is alea + '.' + jvmRoute. We could take a part of the alea to alter the jvmroute in a reversible way (XORing for instance).
Anyhow, the expected effect would be that the jvmroute would be externally different for each and every request.
Unfortunately, I have close to no C skills, hence I cannot make this myself.
(as a side note, coming from mod_jk, I'm quite impressed by the features mod_cluster offers! Thanks for the good work )