LinuxQuestions.org
View the Most Wanted LQ Wiki articles.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - General
User Name
Password
Linux - General This Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.

Notices

Reply
 
Search this Thread
Old 10-08-2010, 04:25 PM   #1
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 517

Rep: Reputation: 39
HTTPS and LoadBalancer (WEB)


Hi Everyone,

I'm just wondering how many people out there use a load balancer of some kind for terminating HTTPS/TLS/SSL before sending requests onto backend web servers?

And if you send the requests onto those backend servers using an Stunnel of some sort to keep the data encrypted between your load balancer and your webservers?

Or what method do people use?

Cheers All,
M
 
Old 10-10-2010, 01:59 AM   #2
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,374

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
I don't see why you'd use stunnel if you're already using an HTTPS load balancer. Something like nginx will hapily connect to an SSL end point as well as decrypting it itself. Obviously though, your load balancer should be as close to your web server as possible, same local subnet, so there is seldom a need for SSL between the LB and the web server. SSL should never be used as a token tick box gesture, but for proper security requirements. Do you need secure data encryption between two local devices within your own network?
 
Old 10-11-2010, 12:57 AM   #3
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 517

Original Poster
Rep: Reputation: 39
Hey, thanks for the reply.

Wouldn't I be using it in order to add the XFF header into the packet before it was forwarded on to the backend servers? Thus terminating the SSL at the load balancer first.

Wouldn't I also need to terminate it at the load balancer so the SSL was terminated in the correct place for the IP address (i'm not so sure on this one)..? But regardless so that I could forward the packet with what ever VH onto the correct set of web servers maybe

Thus i'd want to keep the comm's encrypted from load balancer to backend as well, hence my assumption for something like Stunnel. What about in places like the cloud? Where there is seldom need depending on how much trust you can put into your providers security measures?

Thanks
 
Old 10-11-2010, 02:13 AM   #4
acid_kewpie
Moderator
 
Registered: Jun 2001
Location: UK
Distribution: Gentoo, RHEL, Fedora, Centos
Posts: 43,374

Rep: Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962Reputation: 1962
No, I would not be using a noddy tool like stunnel in a production system, I'd be using functionality for XFF in a proper HTTP proxy, like nginx, which does this properly. Again I'd also not be using stunnel for backend SSL, I'd be doing it properly using something like nginx. Certainly decryption of SSL at a load balancer is very normal, you don't need to terminate SSL at the IP of the public address though. Apache will terminate any SSL connection and validate based on certificate credentials, not necessarily the IP, although the IP can be used to specify a certain endpoint architecturally.

There may be more angle to keep things encrypted within a cloud I guess, but then if you don't trust their networking, why would you trust the rest of it?
 
Old 10-15-2010, 04:19 PM   #5
helptonewbie
Member
 
Registered: Aug 2006
Location: England Somewhere
Distribution: Mandriva, PCLinuxOS, Karoshi, Suse, Redhat, Ubuntu
Posts: 517

Original Poster
Rep: Reputation: 39
Good reply thanks. Are you saying that nginx can be used to terminate SSL (i was aware of already), but also to re-encrypt the request and forward on to the endpoint (which de-crypts with its apache SSL). Sounds like a bit of processing over head :-) but i guess this is the point i'm trying to wrestle at the moment, how much trust i have in the cloud. So if the above can work ie

LB nginx SSL termination then forwards to backend acting as SSL client to SSL server endpoint. Thus packet transport is encrypted at all stages. That would be cool and something for me to look at much deeper and out weight speed and overheads this creates to trust in cloud networking... Possible?
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
DNS or loadbalancer Ammad Linux - General 3 12-13-2009 02:16 AM
How do you properly redirect all web client requests from http to https? mehoggan Linux - Server 4 06-02-2009 03:49 AM
short of HTTPS - any way to have a secure username/password on the web? rholme Linux - Security 4 05-19-2008 07:49 AM
redirecting https web page to http internal website baboow Linux - Server 2 12-17-2007 08:27 AM
Lighttpd HTTPS Web Pages Speed Synesthesia Linux - Software 0 03-07-2007 09:16 PM


All times are GMT -5. The time now is 09:52 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration