>>>>> On Tue, 12 Mar 2013 18:57:01 +0400, Konstantin Khomoutov said:
>
> I have a Bacula installation on my corporate LAN for some time,
> and since this is LAN I did not bother with setting up TLS.
>
> Now a need emerged to back up exactly one remote client (it's
> actually a VPS). For some reason Bacula appears to be a rather
> suitable thing to employ for this task, except for one thing: since
> this client is accessible via Internet, all communications have to be
> secure hence employing TLS appears to be a way to go.
>
> As far as I understand it, backing up a client goes like this:
> 1) The Director contacts the FD and tells it to upload such and such
> files to a specific SD. It tells the FD which SD and also passes
> it a special cookie to authenticate against that SD.
> 2) The FD contacts the SD and uploads its stuff.
Correct (plus the Director contacts the SD before step 1).
> So I should have the Director->FD and FD->SD communications protected
> by TLS. This means that FD should have TLS enabled for both inbound and
> outgoing connections, and SD should listen on a port with TLS enabled.
>
> The problem is that I thought it will be possible to enable TLS only on
> that one remote FD and add a TLS-enabled "listener" to my local SD,
> and leave the LAN intact. So I imagined I would set up TLS on the
> remote FD, do the same in the appropriate Client resource in my
> Director, and set up the second Storage resource in my SD config,
> listening on a different port and having TLS enabled *only there.*
>
> Unfortunately, SD says there can be only one Storage resource in the SD
> configuration file. So it now appears that TLS in Bacula supposes an
> all or nothing approach.
Did you look at the TLS Require directive? It seems to allow for optional
TLS.
> I also know about stunnel, but I'm hesitant to use it due to these
> reasons:
> 1) At least two stunnel instances will be required to be set up and
> maintained.
> 2) Using stunnel involves unnecessary copying of (lots of) data.
You could overcome 1 by using a single ssh command with the -L and -R options
to make the tunnels.
__Martin
------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
|