# vim:ft=dosiniĬlient side is quite similar: # vim:ft=dosini Here is a server config for wrapping Carbon server. Use a simple config file, with contemporary settings, no compatibility tricks. Watch for HAproxy 1.5, it will handles SSL, and challenge Stunnel the elder. Stunnel is an old beast, born when inetd still ruled servers, but don't be afraid, it's still the best tool. key files are private keys, be kind with them. source varsĬA private key is the weakest link in your security chain, be careful.īuild a server certificate. ![]() git clone git:///OpenVPN/easy-rsa.gitĮdit vars file, and sets informations about your country, company. In a trusted computer, build your own PKI. Here is samples for authenticating Carbon service, from Graphite project. Stunnel provides a simple proxy for adding SSL communication to any client or server.ĭon't try to handle broken or weak solutions, just use the best : if you own client and server side, you are the king of your mountain! SSL is a complex beast, anything you do without understanding it can cause drama.Įasy-RSA provides simple tools to handle certificates with good practices. OpenVPN is a good example of certificate authentication. Inside your hosting solution, it's easier, you own the certificate authority, sign certificates for the servers and the clients. SSL authentication is hard to use with public users, and you have to buy certificates. SSL can use authentication with certificates, and magically add authentication without modifying the guest protocol. SSL is a protocol which handles protocols. SSL is also a secret weapon, it replaces a classical socket with a secured none. If you like standards, use SASL, and don't bother, just handle PLAIN authentication, nobody can beat shared secret or SSL for security. With a persistent connection, it's easier, it's just a simple FSM (Finite State Machine), first give some credentials, and switch from not authenticated state to authenticated state. TCP services can easily handle some authentication. Mutualized hosting is like the subway, just use a light container like Velib (parisian bike as a service). ![]() UDP services don't like authentication, just use them in localhost, and forget mutualized hosting, LXC is now trendy. Some major services, like memcached recently got its authenticated version, REST ones can be easily proxified, but others, with classical sockets, remain unauthenticated : patching protocols is painful. ![]() Behind your firewall, nobody knows you are naked.īut, in 2013, it's Cloud time, everybody got its own naked virtual server, flavored with some SAAS. Lots of server tools were made for private hosting.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |