On Fri, Jan 27, 2017 at 4:20 PM, Julien Boeuf <jbo...@google.com> wrote:
> Keep in mind that in case 3, the grpclb load balancers and the server >> backends are in the same internal domain, with the same access >> restrictions. If we can't use a reverse proxy to access the server >> backends, I don't think we'll be able to do that for the grpclb balancers >> either. >> >> That having been said, as a security issue, Julien can address this >> directly. >> > I agree: we don't want clients to be able to hit the load balancers (or > the backends) before the proxy has a chance to filter things like source IP > address and/or traffic inspection. You could argue that the transparent > proxy could perform these functions, however this would mean that: > - we have now 2 proxies that perform the same function. > Yep. I agree. - it is not possible to signal anything with regards to the shape of the > traffic from the client to the transparent reverse proxy since there is no > HTTP CONNECT request. This makes traffic inspection very difficult as it > has to rely on heuristics as opposed to clear and unambiguous signalling. > I don't understand this. "Traffic inspection" should be much easier with reverse proxy, since it actually sees the traffic vs an encrypted blob. Are you suggesting that we'll support putting extra request headers in the CONNECT? I didn't think we were going to do that, other than for auth, and we already know how to handle that sort of auth in the reverse proxy case. We can hold this part of the conversation, because of the double proxy being a painful. -- You received this message because you are subscribed to the Google Groups "grpc.io" group. To unsubscribe from this group and stop receiving emails from it, send an email to grpc-io+unsubscr...@googlegroups.com. To post to this group, send email to grpc-io@googlegroups.com. Visit this group at https://groups.google.com/group/grpc-io. To view this discussion on the web visit https://groups.google.com/d/msgid/grpc-io/CA%2B4M1oM_o%3DgE5EK8T0P-OQokt4NJNcLE3WkCiMA04ejrVStUmQ%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
smime.p7s
Description: S/MIME Cryptographic Signature
