[Discuss] My Bank's Web Site is Behaving Oddly
Dan Ritter
dsr at randomstring.org
Sat May 7 15:16:19 EDT 2016
On Sat, May 07, 2016 at 01:27:46PM -0400, Kent Borg wrote:
> On 05/07/2016 01:05 PM, Dan Ritter wrote:
> >x509 certs don't care about IPs; the browser matches the cert's CN (Common
> >Name) against the domain name it was requesting.
>
> That makes sense.
>
> So it should be possible to do an anti-DDos service with tons of IP
> addresses, but still forward on in encrypted form to a smaller number of
> real machines. Incapsula could have different certificates for different
> domains, but it is too much work, so they have gigantic certificates for a
> herds of unrelated domains. Right?
Yup. A CDN with SSL support might do this:
All customers end up assigning www.customer.com as a CNAME for
master.cdn.net
master.cdn.net has two A and two AAAA records; all are multicast
available at a bunch of datacenters
each datacenter has a set of failover IP-lever load balancers
that can all handle the 4 IP addresses, or perhaps operate in
two sets.
The load balancers connect to a bunch of SSL/TLS terminating
proxies, which have to know all the certs demanded by client
browsers.
The terminating proxies, in turn, do load balancing and
distributing to a bunch of content servers that actually hold
the information.
The content servers participate in a manual/automatic primed
multilevel caching network, where the controller of the CDN can
push content that they know will be needed soon (i.e. today's
big edition of the newspaper) and when customers demand it, and
otherwise pull content from master caches when the end-user
browsers request it.
-dsr- (It's been 15 years since I worked at Akamai.)
More information about the Discuss
mailing list