SSL/TLS Termination, TLS Forward Proxy Pros and Cons

Рет қаралды 32,711

Күн бұрын

Пікірлер: 37

@hnasr 4 жыл бұрын

TLS Termination is a critical feature of any layer 7 proxy. Here are some Pros & Cons 🖌 Offloads Crypto from backend 🖌 Caching (eg. Varnish) 🖌 Intrusion detection system 🖌 Load Balancing and Service Mesh 🖍 Limited by the Max Conn. of the Proxy 🖍 Dangerous when compromised

@geocmastr 4 жыл бұрын

One con I can think of right now is that special services ( e.g. downloading patch/upgrade packages) for your servers do not work well if you have a proxy in the middle from a different vendor. Kudos for this excellent explanation!

@hnasr 4 жыл бұрын

Jorge Orozco exactly! that is a perfect example of a layer 7 proxy having to “know” the protocol being proxied. A layer 4 proxy will blindly work because it doesn’t terminate the connection it merely streams it back to the backend. Thanks Jorge!

@learnityourself 4 жыл бұрын

Thanks, Hussein this is one of the best video on TLS termination on the web.

@Cdswjp 3 жыл бұрын

thanks for not having a boring introduction in your video & getting straight to the point

@hashcoeur Жыл бұрын

thanks Hussein, you have taught me a lot. I also did your courses.

@tharunrocky14 4 жыл бұрын

Thank you. All of your videos are helpful. You're awesome! Please keep going!

@hnasr 4 жыл бұрын

I am glad it is my goal is to help with what i know 😊

@brette 4 жыл бұрын

The most clear explanation I have seen.

@FordExplorer-rm6ew 5 жыл бұрын

Thank you this is actually useful. Vs what alot of people do, which is usually just a money grift.

@duketekdeveloper 4 жыл бұрын

Really good stuff man. Very clear and straight forward

@n.w.aicecube5713 4 жыл бұрын

clear explain and points about the subject. Thanks Hussein

@MatiasSosa-h9m 10 ай бұрын

What measures are in place to safeguard confidential data of the end user using a connection through a proxy, such as authentication and personal data?

@anas021991 2 жыл бұрын

Hello Hussein thank you for the content you have been posting. Would it be possible if you can make a video on HAR captures and Fiddler with some example along with core concept.

@dangaines405 2 жыл бұрын

Week done!

@abdelrhmanahmed1378 2 жыл бұрын

for load Balancing do we really need tls termination , the header is not encrypted, only the content so i can look at the header and see what i want to see right ?

@sunny-14689 2 жыл бұрын

Does the SSL termination happen at API Gateway i.e is proxy same as API Gateway

@piratevv 4 жыл бұрын

Fantastic

@N1NJAKIDD 4 жыл бұрын

Hi great vid. What if you use a proxy to do ssl termination on the actual webserver, so all the data is passed internally. I know HAProxy allows you to do this

@hnasr 4 жыл бұрын

That is also a good idea. Only problem I see with this scaling. You will have to scale both the web server and the tls termination which is something you won’t necessarily want to do... this also will force you to add another layer of load balancer on front probably a layer 4 or keepalived kind of configuration

@dearvivekkumar 4 жыл бұрын

Hi I am confused about the internal how reverse proxy, inbound request, and outbound request work. I have an appliance server sitting behind Nginx reverser proxy (http2 enabled). So all the API made to the appliance server will go through the nginx. Here Nginx will do the SSL/TLS termination etc. Till here I am able to understand and visualize what is going on for all the incoming requests to my server. Now when the application server will make a request (outbound), can we tunnel it through Nginx?

@chengdongliao9875 4 жыл бұрын

not a nginx user, but I guess you can tailor the nginx as a forward proxy for your application server with tunnel enabled for https traffic...

@chengdongliao9875 4 жыл бұрын

A little bit confusing, I previously thought TLS forward proxy is forward proxy + Tunnel for HTTPs, the client still TCP/TLS handshakes with targert server via tunnel. What is the name of this forward proxy, or call it HTTPs forward porxy?

@MrAlazawi 2 жыл бұрын

with the presence of a forward proxy the client does not handshake with the target server unless you make an exception for that specific communication, the client will always talk only to the proxy, the proxy see the traffic from client in clear text then will start tls handshake with the targeted server and asks for data and then will get it sees it in clear text and retransmit it to client after encrypting it.

@adrian-g 4 жыл бұрын

Good stuff!

@thannasip8001 4 жыл бұрын

Hi bro,is it possible to terminate ssl at zuul gateway? If not any suggestion?

@-haris 4 жыл бұрын

TLS Forward Proxy is this what cloudflare does? as cloudflare cannot decrypt data so it adds its own SSL for use between the client and cloudflare , and then uses the previous ssl certificate between cloudflare and the origin server?

@hnasr 4 жыл бұрын

It depends. Are you physically specifying Cloudflare as an HTTPS proxy on your machine? If yes then yes they terminate TLS and make the request in your behalf and cache and do all those pretty stuff. But they can also in this case see the content which is something you might not want. If you are not using an HTTPS proxy, then you are governed by the rule of the destination server. “end to end encrypted “ cloudflare can’t see the content That being said, if you hosted your website on Cloudflare than they can cache your content on edge servers and yes edge servers that are closer to you must be TLS terminator s by design But if your website is hosted on godaddy then they can’t do much about it. They don’t see any content even if you used Cloudflare as DNS Hope that helps 😊