What’s Your HTTPS Grade?
A Case Study of HTTPS/SSL at Mid Michigan
Community College
Brandon Kish
@kishba
About Me
Director of Programming

Mid Michigan Community College
~4,500 students
Former Blackboard Administrator

Central Michigan University
~27,000 students
Former Moodle Administrator at
MMCC
I love web technology
@kishba
đź”’ Why HTTPS?
Do you want your sensitive
data traveling through a
Man-In-The-Middle
Man-In-The-Middle
•
ISPs (injecting ads, tracking cookies/scripts)
•
Verizon/AT&T
•
Gogo
•
Even certain employers & organizations might do
Usernames and Passwords
1. People re-use passwords
2. Institutions with LDAP likely have multiple systems
prompt for passwords
What does this have to do
with Moodle?
•
Don’t let Moodle be your weak link!
•
Enable HTTPS on your login screen
âś… HTTPS
NOT ALL HTTPS IS
EQUAL!
NOT ALL HTTPS IS EQUAL!
1. Deprecated Protocols
2. Weak Ciphers
3. Weak Certificates
1. Protocol: SSL vs. TLS
•
“A cryptographic protocol by any other name
would be as secure?” – Infosec Shakespeare
•
SSL is dead. Long live SSL*!

(Transport Layer Security)
Cryptography 101
•
(A)lice is trying to tell (B)ob a secret, but (E)ve is
listening in.
•
“A communicating with B with E trying to
eavesdrop”
•
Alice can use the advertised key from Bob to
generate gibberish, and only the private key Bob
used to generate the public/advertised certificate
can unlock/translate the gibberish.
2. Weak Ciphers
•
Cipher = algorithm for producing (and
understanding) gibberish

ay2varjSFUMUmtvZeh9755GVyCkWHG0
•
Browser and web server have to use the same
cipher
•
If a server accepts weak ciphers, attackers will use
Weak Ciphers (continued)
Browser
Server
ECDHE-ECDSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-GCM-SHA256
DHE-RSA-AES128-GCM-SHA256
ECDHE-ECDSA-CHACHA20-POLY1305-SHA256
ECDHE-RSA-CHACHA20-POLY1305-SHA256128
DHE-RSA-CHACHA20-POLY1305-SHA256128
ECDHE-ECDSA-AES256-SHA256
ECDHE-RSA-AES256-SHA
DHE-RSA-AES256-SHA256
ECDHE-ECDSA-AES128-SHA128
ECDHE-RSA-AES128-SHA128
DHE-RSA-AES128-SHA128
RSA-AES128-GCM-SHA256128
RSA-AES256-SHA256
RSA-AES128-SHA
RSA-3DES-EDE-SHA168
ECDHE-RSA-AES128-GCM-SHA256
ECDHE-RSA-AES128-SHA256
ECDHE-RSA-AES128-SHA
AES128-GCM-SHA256
AES128-SHA256
AES128-SHA
ECDHE-RSA-AES256-GCM-SHA384
ECDHE-RSA-AES256-SHA384
ECDHE-RSA-AES256-SHA
AES256-GCM-SHA384
AES256-SHA256
AES256-SHA
ECDHE-RSA-DES-CBC3-SHA
DES-CBC3-SHA
https://cc.dcsec.uni-hannover.de
https://www.ssllabs.com/ssltest/analyze.html?
d=moodle.midmich.edu
1+2 = Downgrade attacks
•
Forcing communication with a weak cipher
•
Forcing communication over an older protocol
•
POODLE (October 2014 variant) affected SSL 3
3. Weak Certificates
•
The public key, certificate, and private keys we’ve talked about are
generated with a particular algorithm
•
Google Online Security Blog:
The SHA-1 cryptographic hash algorithm has been known to be
considerably weaker than it was designed to be since at least 2005
— 9 years ago. Collision attacks against SHA-1 are too affordable
for us to consider it safe for the public web PKI. We can only expect
that attacks will get cheaper.
•
Officially deprecated in 2011, but many certificate providers continued to
issue certificates with this algorithm. SHA-2/SHA-256 is now preferred.
4. Bugs in Encryption Libraries
•
The previous problems were all about the design of
the security we use
•
Implementations of SSL/TLS are a whole source of
vulnerabilities in their own right!
•
OpenSSL is used in everything from Apache to
card entry doors :)
NOT ALL HTTPS IS EQUAL!
1. Deprecated Protocols
2. Weak Ciphers
3. Weak Certificates
What does this mean
for my institution?
Case Study: Mid Michigan Community College
November 2014 – March 2015
Our Web Sites
midmich.edu
www.
midmich.edu
Expires 12/2015
$
moodle.
midmich.edu
Expires 12/2016
$
midweb.
midmich.edu
Expires 8/2015
$
print.
midmich.edu
*. midmich.edu
Expires 12/2015
$$$
Wildcar
d
certificate
for lower cost
than many
separate
certificates
One expiration
date for this one
wildcar
d
certificate
Our Web Servers
midmich.edu
www.
midmich.edu
Apache
moodle.
midmich.edu
nginx
midweb.
midmich.edu
Tomcat
Wildcard Cert Realities
•
Different servers expect different formats for
certificate and/or private key
•
p12, pfx, p7b, pem, der, oh my!
•
Missing certain chained certificates (I’m looking
at you Tomcat) causes mobile browsers to fail to
connect
Managing our certificates
was a nightmare we tried to
limit to once every four years.
TL;DR #1
Wikipedia:
Too long;
didn’t read
Qualsys SSL Labs
www.ssllabs.com
Our Grades
midmich.edu
www.
midmich.edu
C/F
POODLE, DH, FREAK
moodle.
midmich.edu
B
SSL 3
midweb.
midmich.edu
F
POODLE, Bad chain
Our web servers had inconsistent
and insecure configurations.
(And we’re only as strong as
weakest link.)
Option 1
•
Update each web server individually
•
Tomcat: Edit server.xml
sslProtocol="TLS"
sslEnabledProtocols=“TLSv1.2,TLSv1.1,TLSv1"
ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TL
S_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WI
TH_AES_256_CBC_SHA384,TLS_ECDHE_RSA_WITH_AES_256_
CBC_SHA,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WI
TH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_CBC_SH
A,TLS_RSA_WITH_AES_256_CBC_SHA256,TLS_RSA_WITH_AE
S_256_CBC_SHA,SSL_RSA_WITH_RC4_128_SHA"
Option 1
•
Update each web server individually
•
Apache: Edit ssl mod’s ssl.conf file
SSLProtocol all -SSLv2 -SSLv3
SSLHonorCipherOrder on
SSLCipherSuite "EECDH+ECDSA+AESGCM \
EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 \
EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 \
EECDH+aRSA+SHA256 EECDH+aRSA+RC4 \
EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW \
!3DES !MD5 !EXP !PSK !SRP !DSS"
Option 1
•
Update each web server individually
Option 2
•
Load balancer(s) in front of all our web systems
•
nginx was already doing this for our Moodle app
servers: See Matt Rice’s “A Balanced Approach:
How to Direct Your Moodle Traffic”
•
I had used F5 appliances at another institution
Option 2,
Visualized
global
log /dev/log local0
log /dev/log local1 notice chroot /var/lib/haproxy user haproxy
group haproxy daemon
# Default SSL material locations
ca-base /etc/ssl/certs crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog
option log-separate-errors # Separate error logs from access logs
balance roundrobin option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers
## Binding to both test (192.) and production (67.) IP addresses #HTTP bind 192.168.1.90:80 bind 67.209.249.176:80 #HTTPS bind 192.168.1.90:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind 67.209.249.176:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle #############
acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes if dest_moodle_prod
########################
backend moodle_prod_nodes option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Do NOT inject this cookie; however, if it exists, send the user to the appropriate server
cookie MAPPSERVER indirect nocache preserve
server mapp1 192.68.1.71:80 check inter 2000 cookie mapp1 server mapp2 192.68.1.72:80 check inter 2000 cookie mapp2
server mapp3 192.68.1.73:80 check inter 2000 cookie mapp3 backup
Sample HAPr
oxy
configuration for
Moodle @ MMCC
global
log /dev/log local0
log /dev/log local1 notice chroot /var/lib/haproxy user haproxy
group haproxy daemon
# Default SSL material locations
ca-base /etc/ssl/certs crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog
option log-separate-errors # Separate error logs from access logs
balance roundrobin option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers
## Binding to both test (192.) and production (67.) IP addresses #HTTP bind 192.168.1.90:80 bind 67.209.249.176:80 #HTTPS bind 192.168.1.90:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind 67.209.249.176:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle #############
acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes if dest_moodle_prod
########################
backend moodle_prod_nodes option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Do NOT inject this cookie; however, if it exists, send the user to the appropriate server
cookie MAPPSERVER indirect nocache preserve
server mapp1 192.68.1.71:80 check inter 2000 cookie mapp1 server mapp2 192.68.1.72:80 check inter 2000 cookie mapp2
server mapp3 192.68.1.73:80 check inter 2000 cookie mapp3 backup
Configur
e allowed
ciphers and bind
ports to cer
tificate
global
log /dev/log local0
log /dev/log local1 notice chroot /var/lib/haproxy user haproxy
group haproxy daemon
# Default SSL material locations
ca-base /etc/ssl/certs crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog
option log-separate-errors # Separate error logs from access logs
balance roundrobin option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers
## Binding to both test (192.) and production (67.) IP addresses #HTTP bind 192.168.1.90:80 bind 67.209.249.176:80 #HTTPS bind 192.168.1.90:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind 67.209.249.176:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle #############
acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes if dest_moodle_prod
########################
backend moodle_prod_nodes option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Do NOT inject this cookie; however, if it exists, send the user to the appropriate server
cookie MAPPSERVER indirect nocache preserve
server mapp1 192.68.1.71:80 check inter 2000 cookie mapp1 server mapp2 192.68.1.72:80 check inter 2000 cookie mapp2 server mapp3 192.68.1.73:80 check inter 2000 cookie mapp3 backup
Connect traf
fic
received on the fr
ont
end to various
backends via ACLs
global
log /dev/log local0
log /dev/log local1 notice chroot /var/lib/haproxy user haproxy
group haproxy daemon
# Default SSL material locations
ca-base /etc/ssl/certs crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog
option log-separate-errors # Separate error logs from access logs
balance roundrobin option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers
## Binding to both test (192.) and production (67.) IP addresses #HTTP bind 192.168.1.90:80 bind 67.209.249.176:80 #HTTPS bind 192.168.1.90:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind 67.209.249.176:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle #############
acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes if dest_moodle_prod
########################
backend moodle_prod_nodes option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Do NOT inject this cookie; however, if it exists, send the user to the appropriate server
cookie MAPPSERVER indirect nocache preserve
server mapp1 192.68.1.71:80 check inter 2000 cookie mapp1 server mapp2 192.68.1.72:80 check inter 2000 cookie mapp2
server mapp3 192.68.1.73:80 check inter 2000 cookie mapp3 backup
Inject headers so
Moodle servers will
know traf
fic was
forwar
ded
global
log /dev/log local0
log /dev/log local1 notice chroot /var/lib/haproxy user haproxy
group haproxy daemon
# Default SSL material locations
ca-base /etc/ssl/certs crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog
option log-separate-errors # Separate error logs from access logs
balance roundrobin option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers
## Binding to both test (192.) and production (67.) IP addresses #HTTP bind 192.168.1.90:80 bind 67.209.249.176:80 #HTTPS bind 192.168.1.90:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind 67.209.249.176:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle #############
acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes if dest_moodle_prod
########################
backend moodle_prod_nodes option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Do NOT inject this cookie; however, if it exists, send the user to the appropriate server
cookie MAPPSERVER indirect nocache preserve
server mapp1 192.68.1.71:80 check inter 2000 cookie mapp1 server mapp2 192.68.1.72:80 check inter 2000 cookie mapp2
server mapp3 192.68.1.73:80 check inter 2000 cookie mapp3 backup
Define a “health
check” to deter
mine
whether servers in the
pool ar
e online!
global
log /dev/log local0
log /dev/log local1 notice chroot /var/lib/haproxy user haproxy
group haproxy daemon
# Default SSL material locations
ca-base /etc/ssl/certs crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog
option log-separate-errors # Separate error logs from access logs
balance roundrobin option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers
## Binding to both test (192.) and production (67.) IP addresses #HTTP bind 192.168.1.90:80 bind 67.209.249.176:80 #HTTPS bind 192.168.1.90:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind 67.209.249.176:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle #############
acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes if dest_moodle_prod
########################
backend moodle_prod_nodes option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Do NOT inject this cookie; however, if it exists, send the user to the appropriate server
cookie MAPPSERVER indirect nocache preserve
server mapp1 192.68.1.71:80 check inter 2000 cookie mapp1 server mapp2 192.68.1.72:80 check inter 2000 cookie mapp2
server mapp3 192.68.1.73:80 check inter 2000 cookie mapp3 backup
We forwar
d all traf
fic
to https at the load
balancer level!
global
log /dev/log local0
log /dev/log local1 notice chroot /var/lib/haproxy user haproxy
group haproxy daemon
# Default SSL material locations
ca-base /etc/ssl/certs crt-base /etc/ssl/private
# Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL).
ssl-default-bind-ciphers kEECDH+aRSA+AES:kRSA+AES:+AES256:aRSA+3DES:!RC4-SHA:!kEDH:!LOW:!EXP:!MD5:!aNULL:!eNULL ssl-default-bind-options no-sslv3 defaults log global mode http option httplog
option log-separate-errors # Separate error logs from access logs
balance roundrobin option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend load_balancers
## Binding to both test (192.) and production (67.) IP addresses #HTTP bind 192.168.1.90:80 bind 67.209.249.176:80 #HTTPS bind 192.168.1.90:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem bind 67.209.249.176:443 ssl crt /etc/ssl/private/wildcard.midmich.edu.pem ######################## ## Moodle #############
acl dest_moodle_prod hdr(host) -i moodle.midmich.edu use_backend moodle_prod_nodes if dest_moodle_prod
########################
backend moodle_prod_nodes option forwardfor
option http-server-close
http-request set-header X-Forwarded-Port %[dst_port]
http-request set-header X-Forwarded-Proto https if { ssl_fc }
option httpchk HEAD /admin/tool/heartbeat/index.php HTTP/1.1\r\nUser-Agent:\ HAProxy\r\nHost:\
# Redirect all traffic to HTTPS
redirect scheme https if !{ ssl_fc }
# Do NOT inject this cookie; however, if it exists, send the user to the appropriate server
cookie MAPPSERVER indirect nocache preserve
server mapp1 192.68.1.71:80 check inter 2000 cookie mapp1 server mapp2 192.68.1.72:80 check inter 2000 cookie mapp2
server mapp3 192.68.1.73:80 check inter 2000 cookie mapp3 backup