Would installing haproxy on sys-net compromise the standard qubes firewall scheme?
I know there is an elevated risk in accepting incoming requests. But currently I have port forwarding enabled to expose certian services to the outside world, and my understanding of port forwarding is that it is a more literal 'hole' in the firewall. What I have are two or more servers running in their own respective qubes. I was thinking the incoming connections would hit the haproxy frontend in sys-net, authenticate the request, and forward it to the respective service backend via sys-firwall etc... If haproxy authenticates it could decrypt the ssl connection and forward it as a normal packet, preventing a bad ssl punching through all of the qubes security layers. Or perhaps I could allow ssl passthrough and simply prevent any other connections out of the service qube and into the qube system... Thoughts? Suggestions? -- You received this message because you are subscribed to the Google Groups "qubes-users" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-users+unsubscr...@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-users/8b9c4731-6912-4802-95b8-b679e89147fc%40googlegroups.com.