[tor-bugs] #30912 [Internal Services/Tor Sysadmin Team]: Investigate stunnel outage on crm-ext-01
Tor Bug Tracker & Wiki
blackhole at torproject.org
Mon Jul 29 17:08:10 UTC 2019
#30912: Investigate stunnel outage on crm-ext-01
-------------------------------------------------+-------------------------
Reporter: peterh | Owner: tpa
Type: defect | Status:
| needs_information
Priority: Medium | Milestone:
Component: Internal Services/Tor Sysadmin Team | Version:
Severity: Normal | Resolution:
Keywords: | Actual Points:
Parent ID: | Points:
Reviewer: | Sponsor:
-------------------------------------------------+-------------------------
Comment (by anarcat):
an ipsec tunnel is now present between the two hosts. any time one host
reaches the other, traffic is encrypted over the wire. so you can now
connect directly to the Redis host safely, without going through the
tunnel. this will require a configuration on your side, of course, but
that should be easy enough to perform.
note that if we have a failure of the tunnel (ie. it doesn't start at all
or is stopped by a malicious actor), it means redis will communicate to
the other host in cleartext. we thought of some options to workaround that
problem, like creating a RFC1918 IP address just for this purpose, but I
figured I would try with you to see if this works first.
we should have monitoring on the tunnels to make sure they don't go down,
so at least failures should be monitored (i'll double-check that).
thank you for your patience...
(we're in the middle of a mailing now, so i'd recommend waiting a little
bit before making those changes... ;) i figured backend changes like this
weren't a problem because they are inactive as long as you don't apply the
changes on your side...)
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/30912#comment:17>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list