I don't understand. I need reverse proxy with tls client certificate.
OpenBSD relayd can act as reverse proxy, but it doesn't have tls
client certificate verification.
OpenBSD httpd has tls client cert verification, but it can't act as reverse proxy.
I've seen relayd and TLS client cert verification http://openbsd-archive.7691.n7.nabble.com/relayd-and-TLS-client-cert-verification-td355673.html, and it seems that relayd can support tls client cert verification since Dec '18, anyway, I can't find anything about it in the current (May '19) OpenBSD relayd(8) man page.
OpenBSD moved the default http server from Nginx to httpd, to be used with relayd, anyway, they haven't achieved the full set of functionality of Nginx (yet).
I'm quite annoyed about this, anyway, I'm almost sure, or at least confident, that they'll achieve it.
I can implement with Nginx the "classic" https server with fast-cgi + https-to-http reverse proxy to websocket applications. But I tested httpd and relayd, and I would like to move to them.
Does anyone here know whether and when OpenBSD will offer reverse proxy + tls client cert verification?
Thank you very much in advance, regards
Related
I am new to server management and all that HTTP stuff. I am setting up an internal server for my home to serve websites internally, my website needs to register a service worker and for that, I'll need an SSL Certificate and HTTP connection, which seems impossible in my case as all localhost or internal IPs are served over HTTP with untrusted SSL Certificates.
If anyone could suggest a way around serving websites over HTTPS with trusted certificates so that service worker can be used.
Note: I'll be using Xampp Apache for my Linux server with a static internal IP.
If you need 'trusted cert for any client', I may say "no way".
But if you need 'trusted cert for your client only', you have a way to do that.
I guess you published self-ssl cert for your Apache. In the case, you just install the cert into your client.
example: The following link tell us the case of client = Chrome on Windows.
https://peacocksoftware.com/blog/make-chrome-auto-accept-your-self-signed-certificate
If you use any programming language as a client, you may need another way to install the cert.
My server has a main site which have SSL certificate installed. There is also a linux management panel which runs on port 8080 that does not support SSL. What I want is that the traffic from the client to CloudFlare is encrypted with CloudFlare's certificate, but leave the connection from CDN to my VPS server non-secure. Right now the SSL/TLS encryption mode is set to flexible, edge certificates shows active, and also I've turned off "always use https". When i tried to access the 8080 port with https prefix however I couldn't get through. Can someone offer me a way to acheive this: traffic from client to CDN encrypted, while CDN connects unsecured to my server. PS: I'm using the free plan of CloudFlare and since it's a personal site and I do not want to induce extra cost, hope I can solve this with in the free plan.
There are two ways to solve your problem using Cloudflare without any additional cost.
First of all turn ON always use HTTPS
Changing Flexible to Full in SSL/TLS setting in Cloudflare (Simple Way, No need any other setup in your server).
Which will encrypt the data transfer from Cloudflare to your server using a self-signed certificate.
Changing Flexible to Full(Strict) in SSL/TLS setting in Cloudflare (Need some work in your server).
For Full(Strict), Go to your origin server tab in SSL/TLS and press create a certificate to get your SSL Certificate. But this certificate is only valid between your server and cloudflare.
Then you need to install those certificates on your server.
Additional Steps(As you don't have an HTTPS setup in your VPS):
As you are using the port in your Webserver. So reverse proxy your application running on port 8080 using Apache, Nginx on the port 443. Check this answer for some idea.
TLS handshake for some websites is really slow. (Let it be www.example.com) (I don't own the website)
I was thinking if I could self sign certificate for www.example.com, this could speed up the process (something similar to --no-check-certificate in wget)
PS: I'm aware of the potential security risks associated.
You cannot directly provide your own certificate for the TLS handshake with a website you don't control.
But you might have some SSL intercepting proxy where the connection between this MITM proxy and the client is authenticated by your custom certificate. Only, the connection between the proxy and the server is still authenticated by the servers original certificate, so you've likely just moved the slow handshake problem from your client to your proxy but will be ultimately affected by it the same way.
https://www.playframework.com/documentation/2.3.1/ConfiguringHttps describes, in detail, how to implement SSL in Play Framework 2.3.x
However, I am wondering how to implement TLS 1.2 in Play Framework, do I also need something like Nginx?
I am fairly new to this subject. https://luxsci.com/blog/ssl-versus-tls-whats-the-difference.html shows us that SSL is older than TLS. I have heard that SSL is not secure any more, that's why I ask this question.
Nginx support TLS 1.2 without problems (check parameter "ssl_protocols"). Forget about SSL v2 and SSL v3, it is not secure, but most browsers support TLS v1.2, TLSv1.1 and TLS v1.
You can use Nginx as proxy, and configure HTTPS on nginx. Nginx has many usefull options, it can fast serving static files and proxying all other request to "play" application (to TCP port or to socket).
In your link there is information that you can run Play with HTTPS, so there is no need to use nginx, but I agreee with this part:
(..) using a reverse proxy in front of Play will give better control
and security of HTTPS.
I am planning to disable SSL protocol in my site and moving to the TLS secure protocol. I will be making the configuration change in httpd. Does it require any changes to the server and client certificates or credentials which are already in place?
No it doesn't. Only the supportedProtocols needs to change.