Confirmed users
529
edits
Security/Server Side TLS: Difference between revisions
Jump to navigation
Jump to search
m
→Amazon Web Services Elastic Load Balancer (AWS ELB)
m (→OCSP Stapling) |
|||
| Line 301: | Line 301: | ||
The default configuration of ELBs doesn't enable the correct ciphers or versions of TLS. This can be done by hand in the Web Console, but is tedious. Gene Wood, from Identity Ops, wrote a script that configures the proper TLS policy on ELB: https://github.com/mozilla/identity-ops/blob/master/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py | The default configuration of ELBs doesn't enable the correct ciphers or versions of TLS. This can be done by hand in the Web Console, but is tedious. Gene Wood, from Identity Ops, wrote a script that configures the proper TLS policy on ELB: https://github.com/mozilla/identity-ops/blob/master/aws-tools/apply_security_assurance_elb_ciphersuite_policy.py | ||
Because of the lack of server side ordering, it is preferable to terminate TLS connection on something than ELBs. ELBs can be used at layer 4 to load balance TCP connections, and terminate SSL on Nginx, Apache or any suitable TLS stack. | Because of the lack of server side ordering, it is preferable to terminate TLS connection on something else than ELBs. ELBs can be used at layer 4 to load balance TCP connections, and terminate SSL on Nginx, Apache or any suitable TLS stack. | ||
When using ELBs as L4 load balancer, the following limitations apply: | When using ELBs as L4 load balancer, the following limitations apply: | ||
* Client IP will be hidden to the backend servers. The application behind the ELB will only see the IP of the ELB. Headers such as X-Forwarded-For cannot be used to store the client IP, because the ELB does not decrypt the SSL. | * Client IP will be hidden to the backend servers. The application behind the ELB will only see the IP of the ELB. Headers such as X-Forwarded-For cannot be used to store the client IP, because the ELB does not decrypt the SSL. | ||