trafficserver-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Yann Ylavic <ylavic....@gmail.com>
Subject Re: how make backend applications aware about tls-offloading
Date Sat, 07 Jan 2017 23:54:57 GMT
On Sun, Jan 8, 2017 at 12:39 AM, Reindl Harald <h.reindl@thelounge.net> wrote:
>
> Am 08.01.2017 um 00:31 schrieb Yann Ylavic:
>>
>> On Sun, Jan 8, 2017 at 12:22 AM, Reindl Harald <h.reindl@thelounge.net>
>> wrote:
>>>
>>>
>>> ok, so we need to continue the code below and set the option in every
>>> tls-offloaded application - intention of this thread was maybe get this
>>> transparent which seems not to be possible
>>
>>
>> It is "technically" possible, but not wise IMHO.
>> Making every httpd module/CGI/app think the local connection is https
>> could lead to things like "; Secure" cookies sent on the (clear) wire,
>> and that option would be accompanied with so much warnings ("unless
>> you're really on the same switch, but even that...") that it'd be hard
>> to defend (endlessly?).
>
> excatly *that* would be the desired result if configured that way because
> the "clear wire" is controlled and trusted in that context and you *want*
> the secure flag sent for cookies between the tls-offloading server and the
> enduser to not get them back unencrypted over the "real clear wire"

I'm pretty sure the RFC does not allow for "secure" cookies to go in
clear, but that'd be an admin choice after all.
An RFC (as-much-as-it-can-)compliant server can hardly feature it, though.

>
> the whole purpose of *tls offloading* is run the application on a virtual
> machine with a preforked httpd and encryption on the reverse-proxy running
> multithreaded with keep-alive
>
> another secuity gain here is that the amchine which runs application code
> never has a change to see the private ssl key while a breach on the proxy
> with no application code is less likely

That's your architecture choice (constraint?), but you could achieve
the same by proxying to php-fpm for example, and possibly have more
response rewrite/reverse options too...

Mime
View raw message