Bacula-users
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: [Bacula-users] Using TLS only for one specific client -- it is possible?

2013-03-13 08:42:13
Subject: Re: [Bacula-users] Using TLS only for one specific client -- it is possible?
From: Martin Simmons <martin AT lispworks DOT com>
To: bacula-users AT lists.sourceforge DOT net
Date: Wed, 13 Mar 2013 12:39:00 GMT 
>>>>> On Tue, 12 Mar 2013 18:57:01 +0400, Konstantin Khomoutov said:
> 
> I have a Bacula installation on my corporate LAN for some time,
> and since this is LAN I did not bother with setting up TLS.
> 
> Now a need emerged to back up exactly one remote client (it's
> actually a VPS).  For some reason Bacula appears to be a rather
> suitable thing to employ for this task, except for one thing: since
> this client is accessible via Internet, all communications have to be
> secure hence employing TLS appears to be a way to go.
> 
> As far as I understand it, backing up a client goes like this:
> 1) The Director contacts the FD and tells it to upload such and such
>    files to a specific SD.  It tells the FD which SD and also passes
>    it a special cookie to authenticate against that SD.
> 2) The FD contacts the SD and uploads its stuff.

Correct (plus the Director contacts the SD before step 1).


> So I should have the Director->FD and FD->SD communications protected
> by TLS.  This means that FD should have TLS enabled for both inbound and
> outgoing connections, and SD should listen on a port with TLS enabled.
> 
> The problem is that I thought it will be possible to enable TLS only on
> that one remote FD and add a TLS-enabled "listener" to my local SD,
> and leave the LAN intact.  So I imagined I would set up TLS on the
> remote FD, do the same in the appropriate Client resource in my
> Director, and set up the second Storage resource in my SD config,
> listening on a different port and having TLS enabled *only there.*
> 
> Unfortunately, SD says there can be only one Storage resource in the SD
> configuration file.  So it now appears that TLS in Bacula supposes an
> all or nothing approach.

Did you look at the TLS Require directive?  It seems to allow for optional
TLS.


> I also know about stunnel, but I'm hesitant to use it due to these
> reasons:
> 1) At least two stunnel instances will be required to be set up and
>    maintained.
> 2) Using stunnel involves unnecessary copying of (lots of) data.

You could overcome 1 by using a single ssh command with the -L and -R options
to make the tunnels.

__Martin

------------------------------------------------------------------------------
Everyone hates slow websites. So do we.
Make your web apps faster with AppDynamics
Download AppDynamics Lite for free today:
http://p.sf.net/sfu/appdyn_d2d_mar
_______________________________________________
Bacula-users mailing list
Bacula-users AT lists.sourceforge DOT net
https://lists.sourceforge.net/lists/listinfo/bacula-users
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [Bacula-users] tapes randomly become unrecognizeable, shouldbe q931
Next by Date:  Re: [Bacula-users] Using TLS only for one specific client -- it is possible?, Dan Langille
Previous by Thread:  [Bacula-users] Using TLS only for one specific client -- it is possible?, Konstantin Khomoutov
Next by Thread:  Re: [Bacula-users] Using TLS only for one specific client -- it is possible?, Dan Langille
Indexes:  [Date] [Thread] [Top] [All Lists]