Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] My Bank's Web Site is Behaving Oddly



On Sat, May 07, 2016 at 01:27:46PM -0400, Kent Borg wrote:
> On 05/07/2016 01:05 PM, Dan Ritter wrote:
> >x509 certs don't care about IPs; the browser matches the cert's CN (Common
> >Name) against the domain name it was requesting.
> 
> That makes sense.
> 
> So it should be possible to do an anti-DDos service with tons of IP
> addresses, but still forward on in encrypted form to a smaller number of
> real machines. Incapsula could have different certificates for different
> domains, but it is too much work, so they have gigantic certificates for a
> herds of unrelated domains. Right?

Yup. A CDN with SSL support might do this:

All customers end up assigning www.customer.com as a CNAME for
master.cdn.net

master.cdn.net has two A and two AAAA records; all are multicast
available at a bunch of datacenters

each datacenter has a set of failover IP-lever load balancers
that can all handle the 4 IP addresses, or perhaps operate in
two sets.

The load balancers connect to a bunch of SSL/TLS terminating
proxies, which have to know all the certs demanded by client
browsers.

The terminating proxies, in turn, do load balancing and
distributing to a bunch of content servers that actually hold
the information.

The content servers participate in a manual/automatic primed
multilevel caching network, where the controller of the CDN can
push content that they know will be needed soon (i.e. today's
big edition of the newspaper) and when customers demand it, and
otherwise pull content from master caches when the end-user
browsers request it.

-dsr- (It's been 15 years since I worked at Akamai.)



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org