>>>>> On Tue, 12 Mar 2013 18:57:01 +0400, Konstantin Khomoutov said: > > I have a Bacula installation on my corporate LAN for some time, > and since this is LAN I did not bother with setting up TLS. > > Now a need emerged to back up exactly one remote client (it's > actually a VPS). For some reason Bacula appears to be a rather > suitable thing to employ for this task, except for one thing: since > this client is accessible via Internet, all communications have to be > secure hence employing TLS appears to be a way to go. > > As far as I understand it, backing up a client goes like this: > 1) The Director contacts the FD and tells it to upload such and such > files to a specific SD. It tells the FD which SD and also passes > it a special cookie to authenticate against that SD. > 2) The FD contacts the SD and uploads its stuff.
Correct (plus the Director contacts the SD before step 1). > So I should have the Director->FD and FD->SD communications protected > by TLS. This means that FD should have TLS enabled for both inbound and > outgoing connections, and SD should listen on a port with TLS enabled. > > The problem is that I thought it will be possible to enable TLS only on > that one remote FD and add a TLS-enabled "listener" to my local SD, > and leave the LAN intact. So I imagined I would set up TLS on the > remote FD, do the same in the appropriate Client resource in my > Director, and set up the second Storage resource in my SD config, > listening on a different port and having TLS enabled *only there.* > > Unfortunately, SD says there can be only one Storage resource in the SD > configuration file. So it now appears that TLS in Bacula supposes an > all or nothing approach. Did you look at the TLS Require directive? It seems to allow for optional TLS. > I also know about stunnel, but I'm hesitant to use it due to these > reasons: > 1) At least two stunnel instances will be required to be set up and > maintained. > 2) Using stunnel involves unnecessary copying of (lots of) data. You could overcome 1 by using a single ssh command with the -L and -R options to make the tunnels. __Martin ------------------------------------------------------------------------------ Everyone hates slow websites. So do we. Make your web apps faster with AppDynamics Download AppDynamics Lite for free today: http://p.sf.net/sfu/appdyn_d2d_mar _______________________________________________ Bacula-users mailing list Bacula-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/bacula-users
