0

I am new to the hosting in datacenter. I would host my app in a datacenter (colocation). I can sell me only the bay I need. I would like to use a SSL reverse proxy :

SSL Reverse proxy + LoadBalancer <----> WebServer1 <----> WebServer2

If I let the SSL Reverse proxy do all the SSL job, everything between web servers and load balancer will not be secured.

My question is : since I will buy only 3 rack from the hosting service, how can the link between web servers and load balancer be secured from someone in the inside ?

Thank you !

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
ironman
  • 5
  • 2

3 Answers3

2

You could set up IPSec on your LAN to secure the network between the load balancers and your web servers.

As often the case with security, there will be a trade off -- you add complexity and also might make troubleshooting network problems more difficult. So you need to decide if it is worth it.

Kyle Brandt
  • 82,107
  • 71
  • 302
  • 444
1

Are you colocating your equipment or purchasing managed hosting? You mention colo, but if you're concerned about unencrypted data after doing SSL offload, then it sounds like you're doing managed hosting.

In the case of a colo where security is paramount (which it sounds like it is in your case) you would insist on physical security of your equipment - basically locks and keys. By doing this and ensuring your only connection to your provider/datacenter is your network provision, you can be sure that anything after that connection that you do within your environment is entirely secure.

In the alternate case, where you are purchasing hosting services such as dedicated servers, firewalls, l/b, networking etc, you can't really be 100% certain someone couldn't do a man-in-the-middle style attack by physically or virtually routing your non-SSL data thru some additional system.

If you ARE concerned about the security between your L/B and web servers, I don't see much point in stripping SSL and then re-adding a IPSEC VPN or similar. You would probably be better off allowing the SSL to pass thru completely to the web servers unhindered (except no doubt you want to use the reverse proxy functionality).

Andre Lackmann
  • 426
  • 2
  • 5
  • You are right: there's no point in stripping SSL and the re-adding IPSEC VPN or similar. I will colocate my equipement : I will not buy managed hosting. I will not buy an entire bay : just 4 racks. One for the L/B, three for the web servers. You suggest to use locks and keys : can you please explain how you can secure the 4 box's network cables ? – ironman Apr 16 '12 at 23:16
  • well, you need physical security. So if you're colo, you need to buy an enclosure that only you have physical access to. Usually this would be at minium a complete rack. Some larger colo customers have a cage installed to surround many racks. If you only need 4U or enough for your 4 servers, then you'll need to talk directly to a few hosting providers to see how they would manage your need for physical security. You might find you're too small a customer. – Andre Lackmann Apr 16 '12 at 23:34
1

If you're using Apache Httpd with mod_proxy as a reverse proxy, you can also connect to the Httpd front-end and the back-end web-server using HTTPS.

In this case, Httpd needs to be configured as an SSL client (so you need to tell it which CA certificates to trust). As documented in the introduction of the mod_proxy documentation, this can be done using the SSLProxy* directives.

In particular, you should set SSLProxyCACertificateFile (or ...Path) and SSLProxyCheckPeerCN on.

I haven't tried, but it looks like SSLProxyMachineCertificateFile is for the configuration of client certificates (the reverse proxy being the client). It would make sense to authenticate the reverse proxy to the back-end servers it's using.

(As suggested in another answer, a VPN solution might be easier to configure.)

Bruno
  • 4,069
  • 1
  • 20
  • 37