Linux - GeneralThis Linux forum is for general Linux questions and discussion.
If it is Linux Related and doesn't seem to fit in any other forum then this is the place.
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Introduction to Linux - A Hands on Guide
This guide was created as an overview of the Linux Operating System, geared toward new users as an exploration tour and getting started guide, with exercises at the end of each chapter.
For more advanced trainees it can be a desktop reference, and a collection of the base knowledge needed to proceed with system and network administration. This book contains many real life examples derived from the author's experience as a Linux system and network administrator, trainer and consultant. They hope these examples will help you to get a better understanding of the Linux system and that you feel encouraged to try out things on your own.
Click Here to receive this Complete Guide absolutely free.
I don't see why you'd use stunnel if you're already using an HTTPS load balancer. Something like nginx will hapily connect to an SSL end point as well as decrypting it itself. Obviously though, your load balancer should be as close to your web server as possible, same local subnet, so there is seldom a need for SSL between the LB and the web server. SSL should never be used as a token tick box gesture, but for proper security requirements. Do you need secure data encryption between two local devices within your own network?
Wouldn't I be using it in order to add the XFF header into the packet before it was forwarded on to the backend servers? Thus terminating the SSL at the load balancer first.
Wouldn't I also need to terminate it at the load balancer so the SSL was terminated in the correct place for the IP address (i'm not so sure on this one)..? But regardless so that I could forward the packet with what ever VH onto the correct set of web servers maybe
Thus i'd want to keep the comm's encrypted from load balancer to backend as well, hence my assumption for something like Stunnel. What about in places like the cloud? Where there is seldom need depending on how much trust you can put into your providers security measures?
No, I would not be using a noddy tool like stunnel in a production system, I'd be using functionality for XFF in a proper HTTP proxy, like nginx, which does this properly. Again I'd also not be using stunnel for backend SSL, I'd be doing it properly using something like nginx. Certainly decryption of SSL at a load balancer is very normal, you don't need to terminate SSL at the IP of the public address though. Apache will terminate any SSL connection and validate based on certificate credentials, not necessarily the IP, although the IP can be used to specify a certain endpoint architecturally.
There may be more angle to keep things encrypted within a cloud I guess, but then if you don't trust their networking, why would you trust the rest of it?
Good reply thanks. Are you saying that nginx can be used to terminate SSL (i was aware of already), but also to re-encrypt the request and forward on to the endpoint (which de-crypts with its apache SSL). Sounds like a bit of processing over head :-) but i guess this is the point i'm trying to wrestle at the moment, how much trust i have in the cloud. So if the above can work ie
LB nginx SSL termination then forwards to backend acting as SSL client to SSL server endpoint. Thus packet transport is encrypted at all stages. That would be cool and something for me to look at much deeper and out weight speed and overheads this creates to trust in cloud networking... Possible?