Quote:
Originally Posted by markpb
It's not hard to terminate the SSL connection on one machine and then direct one URL to the IIS server and another to the Apache server. It's fully acceptable to do that under PCI-DSS rules. There's no reason for Irish Rail to adopt the approach they've taken other than laziness.
|
Yep. It's called ProxyPass on Apache and I believe Application Request Routing on IIS (which I believe they are running on their main irishrail.ie server). See
http://www.iis.net/download/ApplicationRequestRouting Pretty trivial to do. Use it all the time on servers in work.
Running on port 8443 is pretty bad IT really.
Also from a security perspective don't think I'd ever expose an Apache Tomcat directly server to the external world as they have done. I'd question whether their infrastructure can handle the load of many thousands of users as this system goes live.