3

I am setting up HAProxy to load balance between two web servers. Some of the pages on the site require SSL. Stunnel is handling the https connections and passing them off to haproxy (Stunnel contains the cert). HAProxy will hand off requests to the web servers using http. Will containing the web servers and haproxy in an internal network be enough to be PCI compliant? Is there anything I need to watch out for?

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
agabel
  • 33
  • 6

1 Answers1

4

4.1 Use strong cryptography and security protocols (for example, SSL/TLS, IPSEC, SSH, etc.) to safeguard sensitive cardholder data during transmission over open, public networks.

Yes, your architecture is appropriate to the standard.

https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf

Jeff Ferland
  • 20,239
  • 2
  • 61
  • 85
  • If for some reason your link between HAProxy and the webservers needs to pass through an open network, you would need to route HAProxy to another stunnel (configured as a client) that forwards on to the webserver. – Manfre Feb 08 '12 at 20:06