SSL

Gerhard Schmidt schmidt at ze.tum.de
Mon Mar 14 13:00:23 CET 2011


Am 14.03.2011 12:05, schrieb Kacper Wysocki:
> On Mon, Mar 14, 2011 at 9:34 AM, Gerhard Schmidt <schmidt at ze.tum.de> wrote:
>> Am 14.03.2011 08:55, schrieb Poul-Henning Kamp:
>>> In message <4D7DC782.6050300 at ze.tum.de>, Gerhard Schmidt writes:
>>>
>>>> stunnel has the disatwantage that we loose the clientIP information.
>>>
>>> Doesn't it set a header with this information ?
>>
>> It's a tunnel. It doesn't change the stream. As I said, we use pound because
>> it sets the header. But its another daemon to run and to setup. Another
>> component that could fail. Integrating SSL in varnish would reduce the
>> complexity.
> 
> What you meant to say is "integrating SSL in Varnish would increase
> complexity".
> Putting that component inside varnish doesn't automatically make it
> infallable. As an added bonus, if SSL is in a separate process it
> won't bring the whole server down if it fails, if that's the kind of
> stuff you're worried about.

It does kill your serive if your service is SSL based.

Managing more config and more daemons always increses the complexity.
More Daemons increse the probabilty of failure and increase the monitioring
requirements.
More Daemons increase the probailty of security problems.
More Daemons increase the amount of time spend keepings the system up to date.

It might increase the complexity of varnish but not the system a hole.

Regards
   Estartu


-- 
-------------------------------------------------
Gerhard Schmidt       | E-Mail: schmidt at ze.tum.de
TU-München	      | Jabber: estartu at ze.tum.de
WWW & Online Services |
Tel: 089/289-25270    |
Fax: 089/289-25257    | PGP-Publickey auf Anfrage


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <https://www.varnish-cache.org/lists/pipermail/varnish-misc/attachments/20110314/3359cbf9/attachment-0003.pgp>


More information about the varnish-misc mailing list