Jonathan Oliver's questions

I'm trying to get HAproxy 1.5.x to trust any certificate authority already in the trust store of the machine (/etc/ssl/certs) without having to explicitly specify the individual ca-file root authority certificate to be trusted. I want to avoid the scenario of a given backend server using a certificate issued by a different authority and causing an outage because that backend server is no longer trusted--despite the CA being in the machine trust store.

Within a given backend section of the haproxy.cfg file, the server line has an option called ca-file. This option instructs HAproxy to verify the authority of the backend's server certificate using the authority provided. The trouble is that this points to a single CA.

I found the ca-base option. Unless I'm mistaken, this is only a shortcut to avoid having to specify the full path of the ca-file at each declaration.

I'm running legacy applications in which I do not have access to the source code. These components talk to each other using plaintext on a particular port. I would like to be able to secure the communications between the two or more nodes using something like stunnel to facilitate peer-to-peer communication rather than using a more traditional (and centralized) VPN package like OpenVPN, etc.

Ideally, the traffic flow would go like this:

1. app@hostA:1234 tries to open a TCP connection to app@hostB:1234.
2. iptables captures and redirects the traffic on port 1234 to stunnel running on hostA at port 5678.
3. stunnel@hostA negotiates and establishes a connection with stunnel@hostB:4567.
4. stunnel@hostB forwards any decrypted traffic to app@hostB:1234.

In essence, I'm trying to set this up to where any outbound traffic (generated on the local machine) to port N forwards through stunnel to port N+1, and the receiving side receives on port N+1, decrypts, and forwards to the local application at port N.

I'm not particularly concerned about losing the hostA origin IP address/machine identity when stunnel@hostB forwards to app@hostB because the communications payload contains identifying information.

The other trick in this is that normally with stunnel you have a client/server architecture. But this application is much more P2P because nodes can come and go dynamically and hard-coding some kind of "connection = hostN:port" in the stunnel configuration won't work.

EDIT: One other possibility might be configuring some kind of default route such that outbound traffic to port N is forwarded through stunnel configured as a gateway...

I wanted to get an idea if anything like the following scenario was possible:

Nginx handles a request and routes it to some kind of authentication application where cookies and/or other kinds of security identifiers are interpreted and verified. The app perhaps makes a few additions to the request (appending authenticated headers). Failing authentication returns an HTTP 401.

Nginx then takes the request and routes it through an authorization application which determines, based upon identity and the HTTP verb (put, delete, get, etc.) and URL in question, whether the actor/agent/user has permission to performed the intended action. Perhaps the authorization application modifies the request somewhat by appending another header, for example. Failing authorization returns 403.

(Wash, rinse, repeat the proxy pattern for any number of services that want to participate in the request in some fashion.)

Finally, Nginx routes the request into the actual application code where the request is inspected and the requested operations are executed according to the URL in question and where the identity of the user can be captured and understood by the application by looking at the altered HTTP request.

Ideally, Nginx could do this natively or with a plugin. Any ideas?

The alternative that I've considered is having Nginx hand off the initial request to the authentication application and then have this application proxy the request back through to Nginx (whether on the same box or another box).

I know there are a number of applications frameworks (Django, RoR, etc.) that can do a lot of this stuff "in process", but I was trying to make things a little more generic and self contained where different applications could "hook" the HTTP pipeline of Nginx and then participate in, short circuit, and even modify the request accordingly.

If Nginx can't do this, is anyone aware of other web servers that will perform in the manner described above?

I have a business use case and workflow where local/instance/ephemeral storage for an EC2 instance is ideal. Unfortunately I'm coupled to a Windows platform for this particular task and the EC2 Windows offering appears to have some deficiencies related to AMI creation.

In essence, I'm trying to figure out if there's a way to attach local instance storage to a Windows EC2 instance using the typical command line interface (because the Amazon Website GUI doesn't support it) and then to somehow create an AMI based upon that. I've tried creating a snapshot and then creating a Windows AMI based upon the snapshot, but of course the docs say this is unsupported and makes an unbootable AMI.

In short, here's what I'm trying to do:

1. Be able to run a Windows instance (EBS/S3 instance doesn't matter)
2. Attach local instance storage as drive D:
3. Persist that configuration as an AMI such that I can start lots of them as necessary from either the GUI, command line, or REST API.
4. Be able to take a launched instance, update software, shutdown, and create another AMI based upon that.
5. Wash, rinse, repeat.

One other potential option which isn't horrible, but isn't ideal is to create an AMI which has 2 EBS volumes already attached (system+apps and data). Essentially, every time I startup an instance based upon the AMI it'll create 2 new EBS volumes of pre-determined size. I'm trying to avoid that scenario if possible.

As part of our development workflow, we would like to have our build server publish our compiled binaries and other build artifacts to some LAN-based, replicated file system. Ideally, we'd just have our build server drop the build artifacts into a folder according to the build version and the contents of that folder would be replicated to each developer workstations locally. Once published, each build is static and does not change. We don't have strong consistency requirements, we only need the files to be available on each developer workstation within a minute or so. All machines are Linux-based.

The easiest solution is probably a NAS with a rsync+cron, but that feels clunky. Is there another distributed/replicated file system that supports the above requirements? We looked at doing Amazon S3 + s3fs, but that was painfully slow.

In many ways this feels like traditional mirroring from an authoritative source in a webserver scenario, e.g. www1, www2, etc.