 |
 |
Hi Derek, Frankly, if you don't apply security for the redirector (which most places do not) there is no reason to use TLS. If you do apply security, thinnk what harm migh occur in a MIM attack or somebody snooping on the connection. Likely, it's a very low risk. If you are comfortable with that risk, then there is no reason to enable TLS for a redirector. Otherwise, yes, you would use xroots but at the moment there is no fallback so if the redirector doesn't talk TLS you will fail which, frankly, in the https world is common practice. Please note that if he redirector sends you off to a server that needs TLS then you will automatically get TLS no matter what. Same for the redirector if it requires TLS you will get it. That allows you to keep the config file as is and get TLS when it is required. Andy On Tue, 28 Apr 2020, Derek Weitzel wrote: > Just some TLS deployment questions: > > - Do the redirectors also need to be TLS enabled? I presume yes. For caching, the pss.origin should list the redirector like?: > pss.origin xroots://redirector.example.com > > - When the origin is a redirector, does the cache then connect to the data server with TLS? > > - Can the redirector run both non-TLS and TLS at the same time? Is that on the same port? > > - Derek > > ######################################################################## > Use REPLY-ALL to reply to list > > To unsubscribe from the XROOTD-L list, click the following link: > https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1 > ######################################################################## Use REPLY-ALL to reply to list To unsubscribe from the XROOTD-L list, click the following link: https://listserv.slac.stanford.edu/cgi-bin/wa?SUBED1=XROOTD-L&A=1