Hi Everyone,

I'm just wondering how many people out there use a load balancer of some kind for terminating HTTPS/TLS/SSL before sending requests onto backend web servers?

And if you send the requests onto those backend servers using an Stunnel of some sort to keep the data encrypted between your load balancer and your webservers?

Or what method do people use?

Cheers All,
M

I don't see why you'd use stunnel if you're already using an HTTPS load balancer. Something like nginx will hapily connect to an SSL end point as well as decrypting it itself. Obviously though, your load balancer should be as close to your web server as possible, same local subnet, so there is seldom a need for SSL between the LB and the web server. SSL should never be used as a token tick box gesture, but for proper security requirements. Do you need secure data encryption between two local devices within your own network?

Hey, thanks for the reply.

Wouldn't I be using it in order to add the XFF header into the packet before it was forwarded on to the backend servers? Thus terminating the SSL at the load balancer first.

Wouldn't I also need to terminate it at the load balancer so the SSL was terminated in the correct place for the IP address (i'm not so sure on this one)..? But regardless so that I could forward the packet with what ever VH onto the correct set of web servers maybe

Thus i'd want to keep the comm's encrypted from load balancer to backend as well, hence my assumption for something like Stunnel. What about in places like the cloud? Where there is seldom need depending on how much trust you can put into your providers security measures?

Thanks

No, I would not be using a noddy tool like stunnel in a production system, I'd be using functionality for XFF in a proper HTTP proxy, like nginx, which does this properly. Again I'd also not be using stunnel for backend SSL, I'd be doing it properly using something like nginx. Certainly decryption of SSL at a load balancer is very normal, you don't need to terminate SSL at the IP of the public address though. Apache will terminate any SSL connection and validate based on certificate credentials, not necessarily the IP, although the IP can be used to specify a certain endpoint architecturally.

There may be more angle to keep things encrypted within a cloud I guess, but then if you don't trust their networking, why would you trust the rest of it?

Good reply thanks. Are you saying that nginx can be used to terminate SSL (i was aware of already), but also to re-encrypt the request and forward on to the endpoint (which de-crypts with its apache SSL). Sounds like a bit of processing over head :-) but i guess this is the point i'm trying to wrestle at the moment, how much trust i have in the cloud. So if the above can work ie

LB nginx SSL termination then forwards to backend acting as SSL client to SSL server endpoint. Thus packet transport is encrypted at all stages. That would be cool and something for me to look at much deeper and out weight speed and overheads this creates to trust in cloud networking... Possible?