SSL/TLS Termination, TLS Forward Proxy Pros and Cons
Рет қаралды 30,879
Күн бұрын💻 More software engineering videos • Software Engineering b...
Is a proxy that terminates the TLS session and send unencrypted traffic to the main server. This offloads complex crypto TLS from the main server to this proxy so the main server can do what it does best. Serve..
In this video we will discuss the pros and cons of TLS Termination proxies
- TLS 1.2
- TLS Termination Proxy
- TLS Forward Proxy
- Pros and Cons
- Pros
- Off load crypto to proxy instead of main servers (no longer a problem)
- Have TLS session close to the client
- Decrypt data so HTTP accelerators like Varnish can function correctly.
- Allow intrusion detection system to analyse traffic
- Load balancers can make better decisions on the data (Layer 7)
- Service Mesh in microservices architecture
- Cons
- If proxy got compromised attacker can gains access to all data.
- Limited by the maximum number of connections on the proxy.
jump codes
2:00 TLS 1.2
4:00 TLS Termination Proxy
6:00 TLS Forward Proxy
9:00 Pros and Cons
cards
2:20 TLS • Transport Layer Securi...
3:49 Encryption • Symmetrical vs asymmet...
12:50 Denial of Service • Denial of Service Atta...
15:20 Layer 4 vs Layer 7 Load Balancing • Load balancing in Laye...
Support me on PayPal bit.ly/33ENps4
Become a patron / hnasr
Stay Awesome!
Hussein
@hnasr 4 жыл бұрын
TLS Termination is a critical feature of any layer 7 proxy. Here are some Pros & Cons 🖌 Offloads Crypto from backend 🖌 Caching (eg. Varnish) 🖌 Intrusion detection system 🖌 Load Balancing and Service Mesh 🖍 Limited by the Max Conn. of the Proxy 🖍 Dangerous when compromised
@Cdswjp 3 жыл бұрын
thanks for not having a boring introduction in your video & getting straight to the point
@learnityourself 4 жыл бұрын
Thanks, Hussein this is one of the best video on TLS termination on the web.
@duketekdeveloper 4 жыл бұрын
Really good stuff man. Very clear and straight forward
@brette 4 жыл бұрын
The most clear explanation I have seen.
@geocmastr 4 жыл бұрын
One con I can think of right now is that special services ( e.g. downloading patch/upgrade packages) for your servers do not work well if you have a proxy in the middle from a different vendor. Kudos for this excellent explanation!
@hnasr 4 жыл бұрын
Jorge Orozco exactly! that is a perfect example of a layer 7 proxy having to “know” the protocol being proxied. A layer 4 proxy will blindly work because it doesn’t terminate the connection it merely streams it back to the backend. Thanks Jorge!
@tharunrocky14 3 жыл бұрын
Thank you. All of your videos are helpful. You're awesome! Please keep going!
@hnasr 3 жыл бұрын
I am glad it is my goal is to help with what i know 😊
@n.w.aicecube5713 4 жыл бұрын
clear explain and points about the subject. Thanks Hussein
@FordExplorer-rm6ew 4 жыл бұрын
Thank you this is actually useful. Vs what alot of people do, which is usually just a money grift.
@user-th6nh5ed6k 5 ай бұрын
What measures are in place to safeguard confidential data of the end user using a connection through a proxy, such as authentication and personal data?
@hashcoeur 10 ай бұрын
thanks Hussein, you have taught me a lot. I also did your courses.
@abdelrhmanahmed1378 Жыл бұрын
for load Balancing do we really need tls termination , the header is not encrypted, only the content so i can look at the header and see what i want to see right ?
@anas021991 Жыл бұрын
Hello Hussein thank you for the content you have been posting. Would it be possible if you can make a video on HAR captures and Fiddler with some example along with core concept.
@thannasip8001 3 жыл бұрын
Hi bro,is it possible to terminate ssl at zuul gateway? If not any suggestion?
@sunny-14689 Жыл бұрын
Does the SSL termination happen at API Gateway i.e is proxy same as API Gateway
@dearvivekkumar 3 жыл бұрын
Hi I am confused about the internal how reverse proxy, inbound request, and outbound request work. I have an appliance server sitting behind Nginx reverser proxy (http2 enabled). So all the API made to the appliance server will go through the nginx. Here Nginx will do the SSL/TLS termination etc. Till here I am able to understand and visualize what is going on for all the incoming requests to my server. Now when the application server will make a request (outbound), can we tunnel it through Nginx?
@chengdongliao9875 3 жыл бұрын
not a nginx user, but I guess you can tailor the nginx as a forward proxy for your application server with tunnel enabled for https traffic...
@dangaines405 2 жыл бұрын
Week done!
@adrian-g 4 жыл бұрын
Good stuff!
@piratevv 4 жыл бұрын
Fantastic
@chengdongliao9875 3 жыл бұрын
A little bit confusing, I previously thought TLS forward proxy is forward proxy + Tunnel for HTTPs, the client still TCP/TLS handshakes with targert server via tunnel. What is the name of this forward proxy, or call it HTTPs forward porxy?
@MrAlazawi Жыл бұрын
with the presence of a forward proxy the client does not handshake with the target server unless you make an exception for that specific communication, the client will always talk only to the proxy, the proxy see the traffic from client in clear text then will start tls handshake with the targeted server and asks for data and then will get it sees it in clear text and retransmit it to client after encrypting it.
@N1NJAKIDD 4 жыл бұрын
Hi great vid. What if you use a proxy to do ssl termination on the actual webserver, so all the data is passed internally. I know HAProxy allows you to do this
@hnasr 4 жыл бұрын
That is also a good idea. Only problem I see with this scaling. You will have to scale both the web server and the tls termination which is something you won’t necessarily want to do... this also will force you to add another layer of load balancer on front probably a layer 4 or keepalived kind of configuration
@-haris 4 жыл бұрын
TLS Forward Proxy is this what cloudflare does? as cloudflare cannot decrypt data so it adds its own SSL for use between the client and cloudflare , and then uses the previous ssl certificate between cloudflare and the origin server?
@hnasr 4 жыл бұрын
It depends. Are you physically specifying Cloudflare as an HTTPS proxy on your machine? If yes then yes they terminate TLS and make the request in your behalf and cache and do all those pretty stuff. But they can also in this case see the content which is something you might not want. If you are not using an HTTPS proxy, then you are governed by the rule of the destination server. “end to end encrypted “ cloudflare can’t see the content That being said, if you hosted your website on Cloudflare than they can cache your content on edge servers and yes edge servers that are closer to you must be TLS terminator s by design But if your website is hosted on godaddy then they can’t do much about it. They don’t see any content even if you used Cloudflare as DNS Hope that helps 😊
@geomagazine_khalid 4 жыл бұрын
Hi. Can you help me to create DLL file using Visual Studio? I have already a decompiled code from a DLL and has updated it in a txt file.
@raghuvallikkat3384 3 жыл бұрын
can you please cover DoS and how to handle that DoS attack?
@hnasr 3 жыл бұрын
kzbin.info/www/bejne/anqapYONbdSZaMk
@raghuvallikkat3384 3 жыл бұрын
@@hnasr Thanks. One piece is missing is how do we handle such attacks in server side?
@cabletvandinternetworldser5409 4 жыл бұрын
Do some new videos CGi
@bountyproofs Ай бұрын
The best name ever HUSSEIN i hope you understand
@husseintheprofortniteplaye4030 4 жыл бұрын
He hass the same name as me but he has 2 s in naser
@funkzsnoopy 25 күн бұрын
You repeat or get stuck with the point alot. But thanks for the tutorial.
Hussein Nasser
Рет қаралды 61 М.
Marco Essomba
Рет қаралды 6 М.
Lawrence Systems
Рет қаралды 176 М.
Fun Effects
Рет қаралды 8 МЛН