Hi Jake, The “defense in depth” is to turn SSL on for every Geode client server interaction according to the GitHub example here<https://github.com/apache/geode-native/blob/develop/examples/dotnet/sslputget/Program.cs>. Anthony said that he finds that users take this approach, even with Geode client components that may not need data encryption – i.e. on the same cluster as servers, behind a firewall / VPN etc. Whereas for UI and Ops Monitors outside a DMZ we got to encrypt data even though our ISP’s have further firewalls, which are basically public.
I had asked whether it was possible to have 2 Geode servers, for which the “cluster” communication was not SSL, and 1 server had “server” SSL and the other server did not. Then we could connect internal clients to the non-SSL server and external clients to the SSL server. Maybe it’s possible for some kind of smart locator, but in general I understand all members within a “system” share the same TLS configuration. Given time we could try and configure a locator to point some clients to one server and others to another and see? ☺ Thanks for the PlantUml hint. I had heard of it. Do you know whether it can reverse engineer Java / C# code to auto produce diagrams direct from the code? Cheers, Rupert From: Jacob Barrett [mailto:[email protected]] Sent: 18 July 2020 01:31 To: [email protected] Cc: Wai Lun Poon; Edgaras Valius Subject: Re: Geode and sTunnel This email has reached the company via an external source. Please be cautious opening any attachments or links. On Jul 17, 2020, at 11:01 AM, Rupert St John Webster <[email protected]> wrote: Jake & Anthony thanks for the comments, much appreciated. We are going to work on the “defense in depth” approach in the long run. Can you elaborate on this? Meanwhile can I ask do you know if the native client will support the SNI proxy approach? I known there is a group working on a solution, though I think they are hung up on trying to fix some other things prior to and if proxy support. It’s unlikely it will make the 1.13 cut. Finally, I guess an answer to the stack overflow question<https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fstackoverflow.com%2Fquestions%2F62921394%2Fusing-stunnel-for-apache-geode-net-client-ssl-connection-to-server&data=02%7C01%7Cjabarrett%40vmware.com%7Cbc9286bfe7664e4188fa08d82a7b5ca5%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C1%7C637306056625106704&sdata=RJ8sj20g49P3urHECepZXNgfE1MZCvB0AhqS7itS7XY%3D&reserved=0> is it’s possible using DNS entries, but not recommended as a robust solution. I shall have a go later and update. Yes split horizon DNS can solve this. Your lan1 would have all the locator and server names resolve to the stunnel ip. The stunnel would need to listen on all the ports for locators and severs. This also means that locators and servers in lan2 must use unique ports across the cluster, not just their ip. By the way, what’s the UML tool you have there?! I’ve been looking for one for some time ☺ It’s a crusty but functional tool. It is supported by a few IDEs and document rendering engines. https://plantuml.com/ -Jake
