On 2/26/2015 4:03 PM, Erich Titl wrote: > This mixed together is an interesting situation for a lab and for > educational purposes but if you want to do this in a commercial > environment, consider building a separate protected _real_ LAN. Don't > use VLAN's (so forget about virtual machines, they all use them) because > they are easy to monitor. Forget about the danger of someone snooping on > your machines, if you can't protect them from snooping then you lost > anyway.
*YOU* know this. *I* know this. The customer (one you've all heard of but NDA prevents me from revealing) wants the entire communication (user -> haproxy -> apache with mod_proxy_ajp and other modules -> tomcat) encrypted. We are engaging in all this redirection for two reasons: 1) We can get very good SSL performance from haproxy, plus really nice DDOS mitigation capabilities. 2) There are Apache modules that we want to use which are not available for Tomcat, mod_pagespeed in particular. SSL from the end user to haproxy is easy. SSL from there to apache is easy. Getting the AJP module to encrypt its communication to Tomcat is the part that I cannot do easily ... and if I can find a transparent encryption method, I might as well use that for the communication from haproxy to apache as well and avoid the extra SSL negotiation. The customer wants ANY potential threat mitigated, and they're not interested in hearing about it when we tell them that an unauthorized user who is able to sniff the back-end traffic has already completely compromised the system and won't NEED to sniff that traffic. Putting another NIC in the machines for a separate back-end LAN would be easy -- but it would not be encrypted, and that's what the customer wants. I can mention the idea of a separate NIC (and even completely separate switches) to my superiors, but if it's not encrypted, I don't think the customer will go for it. Thanks, Shawn ------------------------------------------------------------------------------ Dive into the World of Parallel Programming The Go Parallel Website, sponsored by Intel and developed in partnership with Slashdot Media, is your hub for all things parallel software development, from weekly thought leadership blogs to news, videos, case studies, tutorials and more. Take a look and join the conversation now. http://goparallel.sourceforge.net/ _______________________________________________ Openvpn-users mailing list Openvpn-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-users
