Hello Shawn,


On 16 April 2018 at 17:39, Shawn Heisey <hapr...@elyograg.org> wrote:
> I enabled the admin socket so that I could renew OCSP stapling. As far as I
> understand, it can only be used on the load balancer machine itself, and I
> think this is the only way to renew stapling other than restarting the
> program, which isn't something I want to do.
>
> As for the possible security issue: If somebody were to compromise the back
> end server and the back end server had knowledge about the load balancer

Why would the backend need to have any knowledge about the
load-balancer? You'd adjust your workflow and command the switch from
the load-balancer instead of your backend application, that's it. Your
backend does not need to access the load-balancer in any way.



> then the attacker might have enough information to fiddle with the load
> balancer for *other* things the load balancer is handling that are more
> sensitive.
>
>> I think your original issue may be due to the "retries 1"
>> configuration you have in there. I would recommend removing that.
>
>
> The documentation for 1.5 says the default value for retries is 3.  Wouldn't
> removing it make whatever problems a retry causes *worse*?  If retries are
> bad, then perhaps I should set it to 0.  I have no recollection about why I
> have this setting in the config.  The default/global settings were created
> years ago and don't change much.

Retries are a good thing and the default retries of 3 is a good value.
Changing this to a non-default will have an impact, especially in the
cases where this server is going down or is about to go down.

By removing the "retries" configuration altogether you are using the
default value of 3, which is the recommended configuration.



Regards,
Lukas

Reply via email to