A Welcome SSL Stay of Execution
Tue Oct 21 17:52:58 EDT 2014
As you likely know from the torrent of posts on Planet Lotus on the topic, IBM announced a hopefully-imminent pair of updates to cover the two main SSL issues that have come to the fore recently: lack of SHA-2 support and the POODLE vulnerability in SSLv3. This is welcome indeed!
Personally, I'm going to stick with the nginx approach for HTTP, even in simple setups, because I've found the extra features you can get (and the promising new ones I haven't tried) to be a dramatic improvement in my server's capabilities. But in the mean time, I'm pleased that the pressure to investigate proxies for other protocols is lessened for the time being. It's not a full SSL revamp (the technote only mentions TLS 1.0 for Domino), but it's something to calm the nerves.
Nonetheless, it's been a good experience to branch out into better ways of running the server. I expect I'll eventually look into mail and LDAP proxying, both to get the highest level of SSL security and to see how useful the other features are (mail load balancing and failover, in particular, would be welcome in my setup).
Richard Moy - Tue Oct 21 23:16:45 EDT 2014
Jesse,
Definitely agree with you. After your presentation at MWLUG 2014, we switched to nginx for SSL thanks to your postings. We started researching other capabilities of nginx. The performance as a web server is significantly better than Domino/XPages and ease of configuration has a lot of potential. We are not only planning to stay with nginx as a reverse proxy, but we have lot of stuff that we are working on that involves nginx. Are we moving off Domino? definitely not. As a secure NoSQL database server there is nothing that comes close. However, the combination of nginx and Domino has huge potential in creating an even better platform. By using nginx to handle the SSL, the load on Domino is reduced allowing more of its resources on what it does best. We have not tried the load balancing stuff but are planning to try it with our secure portal. Thanks for the great work.
Richard
Ray Bilyk - Wed Oct 22 08:37:08 EDT 2014
I'm extremely intrigued by your arguments FOR using a reverse proxy like nginx in front of Domino, but are there any CONS to the argument? I'm stumped to come up with any...
Thanks for your great work on this, Jesse!
Jesse Gallagher - Wed Oct 22 08:53:29 EDT 2014
For the most part, no. Once you get over the hurdle of configuring non-Domino software, things go very smoothly, particularly if you are going for the simple setup.
There are a few gotchas as you get more complicated and move into new capabilities, but they're also limited. I'll make a post at some point explaining those and why I'll be continuing the proxy route regardless of Domino's SSL stack.
Sven Hasselbach - Wed Oct 22 16:38:11 EDT 2014
@Ray:
The only CON I know is that if you are running a reverse proxy on a different machine, the traffic between the Domino server and the Browser is not consistently encrypted. This could be problem in some environments where it has to be guranteed that nobody can intercept the transferred data. But these problem is really rare (I remember two projects in the last decade which had have such high security requirements).
But in 99% of all cases you will have a huge benefit of using a (SSL) reverse proxy in front of Domino. Especially if you are using a proxies like Blue Coat, which gives you a performance boost for every Domino application.
In short, to be independent from Domino is a huge step forward: You can f.e. use a NodeJS instance as a proxy which allows WebSocket connections and a lot of more funny stuff which is not possible with the Domino Server (this includes the IHS).