Welcome! Log In Create A New Profile

Advanced

Re: SSL termination and HAProxy

Jonathan Matthews
January 02, 2013 05:30PM
On 2 January 2013 22:12, zuger <nginx-forum@nginx.us> wrote:
> Thank you Jonathan.
>
> Your explanations were very helpful and the link to "NameBasedSSLVHosts"
> also.

Glad it helped, Zuger.

> I will now evaluate the two scenarios. Teminate SSL in NGINX and forward
> http to the backend servers or use HAProxy.

SSL termination at the edge (I suggest in nginx) will save you much
grief, over time. I would only be considering passing SSL through to a
back-end layer if I had to for specific security reasons, such as
PCI-DSS compliance or because the machine at the network edge was
untrusted somehow.

Do note: with nginx you can proxy_pass to a *different* SSL FQDN,
after having terminated the SSL connection. I.e.

server {
listen 443;
server_name external-domain.com
# ssl cert config options which I can't remember off the top of my head ...
location / {
proxy_pass https://my-internal-service-name-which-is-still-ssl-encrypted.internal.fqdn:443;
}
}

This way, you unwrap the SSL for long enough to route it correctly,
but then encrypt it again to ensure the communication between nginx
and the backend service is secure. This still requires the cert/key
for "external-domain.com" on the nginx server, however.

Do be aware that this setup *won't* allow you to exclude the nginx
machine from being part of your PCI-DSS CDE, I believe. (If that was
meaningless to you, just ignore it!)

Also be aware that, if your nginx machine is actually untrusted, this
doesn't help. Any attacker who gets control of the box still gets
access to your certs and can sniff any "SSL" traffic s/he likes.

> Did I understood correctly that when I use HAProxy I do not have to
> terminate SSL at HAProxy server? SSL will then be terminated at the backend
> servers?

[ NB: I'm only suggesting HAP as that's what I'd use in the scenario
you painted. Other TCP-Level Load Balancers Are Available. ]

HAProxy only learned to speak SSL in a recent-ish development version.
If you need to use a stable release (1.4) then you *cannot* terminate
SSL with it, and would have to pass the TCP connection through to
something that owned the appropriate SSL certificates.

HTH,
Jonathan
--
Jonathan Matthews // Oxford, London, UK
http://www.jpluscplusm.com/contact.html

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
SubjectAuthorPosted

SSL pass through

zugerJanuary 02, 2013 12:18PM

Re: SSL pass through

Francis DalyJanuary 02, 2013 12:44PM

Re: SSL pass through

zugerJanuary 02, 2013 04:14PM

Re: SSL pass through

Jonathan MatthewsJanuary 02, 2013 04:28PM

SSL termination and HAProxy

zugerJanuary 02, 2013 05:12PM

Re: SSL termination and HAProxy

Jonathan MatthewsJanuary 02, 2013 05:30PM



Sorry, only registered users may post in this forum.

Click here to login

Online Users

Guests: 34
Record Number of Users: 7 on March 06, 2014
Record Number of Guests: 156 on March 20, 2014
Powered by nginx    Powered by FreeBSD    PHP Powered    Powered by Percona     ipv6 ready