RE: Load Balancing
Hi, Paul. It's 6:30am and has already been a long day for me, so please forgive any disjointed thoughts. :-} Anyway, I'm not very familiar w/ LVS-IP because I haven't used that, but the problem w/ balancing SSL is when the encrypted transaction hits your load balancer the balancer is unable to read any of your session information (it's encrypted). So it just throws you at one of the web servers in question (round robin usually). The web server decrypts the transaction and is able to do any load balancing at that level before sending the transaction on to an application server (if applicable). The web server then encrypts the return data before sending it back out thru the balancer to the user. At no point does the balancer see unencrypted session information. I'm not sure if / how LVS-IP might overcome that problem, but I'm going to try putting some bandwidth into reading up on it this week. I know this is true for Local Directors. Cisco (and others I'm sure) make smart load balancers which basically handle the SSL first, then do the load balancing, but functionally those are not much different than putting an SSL box in front of your LD if you already own them. As far as an SSL transaction between the user and backend, I'm not 100% sure I am reading the question right. If your environment goes something like this: Browser -- net -- firewall -- ssl -- balancer -- webserver -- appserver -- database Then that should be just as secure as: Browser -- net -- firewall -- balancer -- webserver / ssl -- appserver -- database Basically, if your first firewall is compromised, then you're open and having the transaction encrypted for one or two more levels is probably not going to make a big difference. A good habit, of course, is to put a second firewall between your web and app server tier or at least in front of your db. If your database is not within your network and you need to call out to it, then put another dedicated SSL box between your appserver and db tier (one on each end, actually). And, of course, another firewall. :-) If your config is significantly different or if I misread your question, just let me know. -Lawrence -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] Sent: Wednesday, May 22, 2002 3:34 PM To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: Re: Load Balancing In a message dated: Wed, 22 May 2002 14:59:07 EDT [EMAIL PROTECTED] said: Just a quick warning if any of your servers are going to run ssl. Load balancing in this form cannot really be done against an ssl transaction - something I've found from research and experience (unfortunately, the experience came before the research) :-o Can't you have the ssl transaction be carried out between the user and the backend node though? It seems that this type of thing is exactly what the LVS-IP Tunneling mode was designed for, no? -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: My Website
On Wed, 22 May 2002, at 8:51pm, Alexander DelMore wrote: With M$ SharePoint I Have Setup a Calendar to put up for GNHLUG Dates .. so send'em to me Not that we don't appreciate the effort, but what is wrong with the existing calendar at http://www.gnhlug.org/lug_cal/? -- Ben Scott [EMAIL PROTECTED] | The opinions expressed in this message are those of the author and do not | | necessarily represent the views or policy of any other person, entity or | | organization. All information is provided without warranty of any kind. | * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
RE: Load Balancing
This is my question also. Now, I'm not an expert on security in any way shape or form, I would classify myself as a novice at best. I do understand defense in depth and multiple layers but I have the same question that Lawrence does. Unless your webserver sits completely naked outside your firewall (a situation I can't even begin to imagine) then I don't see a really big problem w/ putting the SSL accelerator in front of your load balancer. Can someone please explain so a simple person like myself can understand? Hi, Paul. It's 6:30am and has already been a long day for me, so please forgive any disjointed thoughts. :-} Anyway, I'm not very familiar w/ LVS-IP because I haven't used that, but the problem w/ balancing SSL is when the encrypted transaction hits your load balancer the balancer is unable to read any of your session information (it's encrypted). So it just throws you at one of the web servers in question (round robin usually). The web server decrypts the transaction and is able to do any load balancing at that level before sending the transaction on to an application server (if applicable). The web server then encrypts the return data before sending it back out thru the balancer to the user. At no point does the balancer see unencrypted session information. I'm not sure if / how LVS-IP might overcome that problem, but I'm going to try putting some bandwidth into reading up on it this week. I know this is true for Local Directors. Cisco (and others I'm sure) make smart load balancers which basically handle the SSL first, then do the load balancing, but functionally those are not much different than putting an SSL box in front of your LD if you already own them. As far as an SSL transaction between the user and backend, I'm not 100% sure I am reading the question right. If your environment goes something like this: Browser -- net -- firewall -- ssl -- balancer - - webserver -- appserver -- database Then that should be just as secure as: Browser -- net -- firewall -- balancer -- webserver / ssl -- appserver -- database Basically, if your first firewall is compromised, then you're open and having the transaction encrypted for one or two more levels is probably not going to make a big difference. A good habit, of course, is to put a second firewall between your web and app server tier or at least in front of your db. If your database is not within your network and you need to call out to it, then put another dedicated SSL box between your appserver and db tier (one on each end, actually). And, of course, another firewall. :-) If your config is significantly different or if I misread your question, just let me know. -Lawrence * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
MS lobbies DOD to drop OSS
Don't know if anyone saw this article off of /. : http://www.washingtonpost.com/wp-dyn/articles/A60050-2002May22.html But I found an interesting quote at the very end of the article: ...the Defense Department is now prohibited from purchasing any software that has not undergone security testing by the NSA. Stenbit said he is unaware of any open-source software that has been tested. From this quote, one could argue that the NSA will never be required to, and therefore never will, test open-source software! Since the requirement is that no software can be *purchased* without NSA testing, this makes it a lot easier for people to say, screw it, let's just grab something off the net that does the job! Thereby saving time and money, probably doing the job better, and not purchasing commercial software :) Well, I found it interesting anyway ! -- Seeya, Paul * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
HP ships Debian pre-installed on their Blade servers
Saw this pointed to on Debian Planet: http://www.software.hp.com/blade-servers/debian_img.htm Though others might care. Could be wrong ;) -- Seeya, Paul * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: HP ships Debian pre-installed on their Blade servers
On Thu, 2002-05-23 at 10:37, [EMAIL PROTECTED] wrote: Saw this pointed to on Debian Planet: http://www.software.hp.com/blade-servers/debian_img.htm Though others might care. Could be wrong ;) It's about time, too. Even Linux Companies like Penguin, Angstrom Micro, and formerly VA, didn't ship Debian. It was all Red Hat. -- Tact is just *not* saying true stuff -- Cordelia Chase Kenneth E. Lussier Sr. Systems Administrator Zuken, USA PGP KeyID CB254DD0 http://pgp.mit.edu:11371/pks/lookup?op=getsearch=0xCB254DD0 * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: HP ships Debian pre-installed on their Blade servers
In a message dated: 23 May 2002 11:09:07 EDT Kenneth E. Lussier said: It's about time, too. Even Linux Companies like Penguin, Angstrom Micro, and formerly VA, didn't ship Debian. It was all Red Hat. That's not entirely true. VA was shipping Debian towards the end. Of course, way back then when there were Linux Companies, the only distro anyone had heard of *was* RedHat. When you're trying to get into a company and end up talking to a PHB or some other exec who asks what's on the box, you don't want to answer them with something requiring a long-winded explanation which will delve into exactly what a distro is, how it works, blah, blah, blah. You want to answer them quick and decisively with something they (think they) understand. They knew RedHat, they had no clue what Debian was. It would have only lead to confusion. -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: HP ships Debian pre-installed on their Blade servers
I'd love to see more corporate support for Debian. Several years ago I switched from Debian to SuSE because the Debian systems were not up to date for my system. I found that SuSE was the best release for my system. I had Red Hat running on my Alpha. SuSE's YaST (YaST1) was very similar in operation to Debian's Deselect. One real advantage with Debian is that you are guaranteed that the distribution is fully Open Source (not all GPL though). On 23 May 2002 at 11:09, Kenneth E. Lussier wrote: On Thu, 2002-05-23 at 10:37, [EMAIL PROTECTED] wrote: Saw this pointed to on Debian Planet: http://www.software.hp.com/blade-servers/debian_img.htm Though others might care. Could be wrong ;) It's about time, too. Even Linux Companies like Penguin, Angstrom Micro, and formerly VA, didn't ship Debian. It was all Red Hat. -- Jerry Feldman [EMAIL PROTECTED] Associate Director Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: HP ships Debian pre-installed on their Blade servers
On Thu, 2002-05-23 at 11:20, [EMAIL PROTECTED] wrote: In a message dated: 23 May 2002 11:09:07 EDT Kenneth E. Lussier said: It's about time, too. Even Linux Companies like Penguin, Angstrom Micro, and formerly VA, didn't ship Debian. It was all Red Hat. That's not entirely true. VA was shipping Debian towards the end. Of course, way back then when there were Linux Companies, the only distro anyone had heard of *was* RedHat. When you're trying to get into a company and end up talking to a PHB or some other exec who asks what's on the box, you don't want to answer them with something requiring a long-winded explanation which will delve into exactly what a distro is, how it works, blah, blah, blah. VA supported Debian for all of under 12 mos, ending about 3-4 months before they got out of the hardware business. Of the customers I talked to, most requested RH, with one asking for Debian. Strange thing was, they bought the machines with RH, then installed Debian afterwords. In other news, Sherwin-Williams will be using IBM gear and Linux to drive cash registers at 2500 stores. http://story.news.yahoo.com/news?tmpl=storyncid=581e=2cid=581u=/nm/20020523/tc_nm/tech_ibm_sherwinwilliams_dc_1 -Mark * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
KDE 3.0.1 has been announced
Just caught this off of Slashdot, and thought folks here might be interested. Note that various volunteers have created RPMs or other appropriate packages for various Linux and UNIX distributions, including Tru64 UNIX, but *NOT* Red Hat. http://www.kde.org/announcements/announce-3.0.1.html Enjoy, Bayard * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
bash question
Ok, here's one for all you bash experts out there. I have a line in a script that does this: lspci -d1134:1 | /usr/bin/wc -l The idea of course is to get the number of our boards in the system. the funny thing is, if I log in as root I get 2/* Note the 6 blank spaces before the 2 */ if I log in as my self or ssh into the machine and su to root, I get 2 /* note NO space before the 2 */ if I ssh into the machine and sh - to root I get 2/* Note the 6 blank spaces before the 2 */ again. What's up. I did clean up the spaces with sed so this is not a functional problem. TIA, Kenny -- Ken Donahue Software Engineer phone: 978 967-1820 email: [EMAIL PROTECTED] Mercury Computers, Inc. System OS - Host Development Team * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: bash question
Kenny Donahue said: Ok, here's one for all you bash experts out there. I have a line in a script that does this: lspci -d1134:1 | /usr/bin/wc -l The idea of course is to get the number of our boards in the system. the funny thing is, if I log in as root I get 2/* Note the 6 blank spaces before the 2 */ if I log in as my self or ssh into the machine and su to root, I get 2 /* note NO space before the 2 */ if I ssh into the machine and sh - to root I get 2/* Note the 6 blank spaces before the 2 */ again. What's up. 1st, try: lspci -d1134:1 | /usr/bin/wc -l | tr -d ' ' that'll eliminate the space let you continue w/ your problem. As for the different behaviour of wc's output, I'll leave that to others. But I suspect when you do it as root or sh - you get root's environment instead of your own and there's some difference between the two. If you do the tr thing, it really doesn't matter :-) I did clean up the spaces with sed so this is not a functional problem. TIA, Kenny -- Ken Donahue Software Engineer phone: 978 967-1820 email: [EMAIL PROTECTED] Mercury Computers, Inc. System OS - Host Development Team * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * -- --- Tom Buskey * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: bash question
In a message dated: Thu, 23 May 2002 16:45:47 EDT Kenny Donahue said: Ok, here's one for all you bash experts out there. I have a line in a script that does this: lspci -d1134:1 | /usr/bin/wc -l [...snip...] /* Note the 6 blank spaces before the 2 */ if I log in as my self or ssh into the machine and su to root, I get 2 /* note NO space before the 2 */ [...snip...] again. What's up. No idea, works just fine for me. Regardless of what I do, there are spaces before the number. Make sure that wc isn't aliased somewhere in roots config files to be something else including a sed statement. -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: bash question
On Thu, 23 May 2002, Kenny Donahue wrote: lspci -d1134:1 | /usr/bin/wc -l The idea of course is to get the number of our boards in the system. the funny thing is, if I log in as root I get 2/* Note the 6 blank spaces before the 2 */ if I log in as my self or ssh into the machine and su to root, I get 2 /* note NO space before the 2 */ Based on what I've seen, and read, I'm guessing that it's spitting out tabs, which then get converted by way of your $TERM variable. Check your $TERM on the two, and make them the same, and see what happens, 'cause your tabs are probably getting eaten for lunch. $.02, -Ken * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: bash question
It's got to be somewhere in my environment. Like I said, The problem is solved it's just messing up my head that it works differently for me and others than it does for root. I was just hoping for someone to say export SET_THIS_DUMMY=get_spaces and get the spaces in my environment. Thanks, Kenny [EMAIL PROTECTED] wrote: In a message dated: Thu, 23 May 2002 16:45:47 EDT Kenny Donahue said: Ok, here's one for all you bash experts out there. I have a line in a script that does this: lspci -d1134:1 | /usr/bin/wc -l [...snip...] /* Note the 6 blank spaces before the 2 */ if I log in as my self or ssh into the machine and su to root, I get 2 /* note NO space before the 2 */ [...snip...] again. What's up. No idea, works just fine for me. Regardless of what I do, there are spaces before the number. Make sure that wc isn't aliased somewhere in roots config files to be something else including a sed statement. -- Seeya, Paul It may look like I'm just sitting here doing nothing, but I'm really actively waiting for all my problems to go away. If you're not having fun, you're not doing it right! -- Ken Donahue Software Engineer phone: 978 967-1820 email: [EMAIL PROTECTED] Mercury Computers, Inc. System OS - Host Development Team * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: bash question
nope. TERM=xterm on both which xterm /usr/bin/X11/xterm on both Ken Ambrose wrote: On Thu, 23 May 2002, Kenny Donahue wrote: lspci -d1134:1 | /usr/bin/wc -l The idea of course is to get the number of our boards in the system. the funny thing is, if I log in as root I get 2/* Note the 6 blank spaces before the 2 */ if I log in as my self or ssh into the machine and su to root, I get 2 /* note NO space before the 2 */ Based on what I've seen, and read, I'm guessing that it's spitting out tabs, which then get converted by way of your $TERM variable. Check your $TERM on the two, and make them the same, and see what happens, 'cause your tabs are probably getting eaten for lunch. $.02, -Ken * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. * -- Ken Donahue Software Engineer phone: 978 967-1820 email: [EMAIL PROTECTED] Mercury Computers, Inc. System OS - Host Development Team * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *
Re: bash question
[PLEASE DON'T TOPQUOTE] Kenny Donahue [EMAIL PROTECTED] writes: Ken Ambrose wrote: On Thu, 23 May 2002, Kenny Donahue wrote: lspci -d1134:1 | /usr/bin/wc -l The idea of course is to get the number of our boards in the system. the funny thing is, if I log in as root I get 2/* Note the 6 blank spaces before the 2 */ if I log in as my self or ssh into the machine and su to root, I get 2 /* note NO space before the 2 */ Based on what I've seen, and read, I'm guessing that it's spitting out tabs, which then get converted by way of your $TERM variable. Check your $TERM on the two, and make them the same, and see what happens, 'cause your tabs are probably getting eaten for lunch. nope. TERM=xterm on both which xterm /usr/bin/X11/xterm on both What is the output of env, both when you login on the console and when you login via ssh? What shell(s) are you running? --kevin -- My sister became some sort of MS Certified Professional today. I knew she could do it. She's the only person I know who sends me email with Outlook and yet still manages to send it in ASCII with the quoted material at the top with at the start of each (less than 76 char) line and her comments nicely interspersed beneath. (See, Outlook users, you can do it!) -- Telsa Gwynne's (Alan Cox's wife's) diary, 2 May 2000, at http://roadrunner.swansea.linux.org.uk/~hobbit/diary.html * To unsubscribe from this list, send mail to [EMAIL PROTECTED] with the text 'unsubscribe gnhlug' in the message body. *