paint-brush
SSL/TLS Offloading: Optimizing Security Infrastructureby@dga
130 reads

SSL/TLS Offloading: Optimizing Security Infrastructure

by DanielNovember 14th, 2023
Read on Terminal Reader
Read this story w/o Javascript
tldt arrow

Too Long; Didn't Read

TLS offloading is a technique where the task of handling encryption at the transport level is centralized to one point of your network (single, HA it does not matter) to releive the backend server from encryption tasks and set ups. This concept eases the set up for encryption at a transport layer because you just need to set it up in one single point instead in several ones.
featured image - SSL/TLS Offloading: Optimizing Security Infrastructure
Daniel HackerNoon profile picture

Motivation

When setting up a virtualized environment for a home lab, I encountered the following problems:


  • Certificate management is a pain and can become dirty in a matter of seconds.
  • I do not want to have client-server communication via unencrypted channels using HTTP.


Preparing your environment

Everything you can find under this post has been developed using the following tools:

  • Windows 11
  • Docker Desktop
  • PyCharm CE
  • Diagrams.net



Figure 1. Environment.


TLS offloading

TLS offloading is a technique where the task of handling encryption at the transport level is centralized to one point of your network (single, HA it does not matter) to relieve the backend server from encryption tasks and setups.


From my point of view, this concept eases the setup for encryption at the transport layer because you just need to set it up in one single point instead of several.



Figure 2. SSL/TLS offloading visual representation.



What TLS offloading provides to my scenario is that:

  • I just need to set up TLS for the proxy.
  • Only one server will expose the desired ports.


Implementation

I will be using docker-compose to build and create my docker images because I will have several services running and it eases my work.


Phase 1. Certificates

I want to use a valid certificate provided by a trusted CA so that I am not in charge of manually creating the certificates and later having to add the CA certificate to each device I work with.

The tool I chose to go with is certbot [1] and Let´s Encrypt [2]. I want a wildcard certificate because I will have several servers in the backend.


I learned that Google Domains [3] does not have an official plugin and certificate renewal was not as easy as it looked at first sight using certbot for wildcard certificates. Taking a look at Google's help I found a community plugin [4] that gives me what I need, a way to automatically renew wildcard certificates.


I just wanted the proxy to include the tasks for certificate renewal, so I ran a docker image (using Debian-slim) to install certbot with the community plugin and create my certificate.

It is important to include the dns_google_domains_credentials.ini file, populated, and under the directory mentioned in the official documentation.


docker run -v '<LOCAL_MOUNT>:/var/lib/letsencrypt' -v '<LOCAL_MOUNT>:/etc/letsencrypt' debian:stable-slimapt update
apt install python3 python3-venv libaugeas0 snapd -y
python3 -m venv /opt/certbot/
/opt/certbot/bin/pip install --upgrade pip
/opt/certbot/bin/pip install certbot certbot-nginx certbot-dns-google-domains
ln -s /opt/certbot/bin/certbot /usr/bin/certbot
certbot certonly \
--authenticator 'dns-google-domains' \
--dns-google-domains-credentials '/var/lib/letsencrypt/dns_google_domains_credentials.ini' \
--server 'https://acme-v02.api.letsencrypt.org/directory' \
--non-interactive \
--dns-google-domains-zone '<YOUR_DOMAIN>' \
-d '<YOUR_WILCARD_NAME' \
--agree-tos \
--email <YOUR_EMAIL>


Phase 2. Proxy

I wanted to combine nginx and certbot, so I created my own docker image that runs those two services.


You can find it here: https://hub.docker.com/r/ddeuterio/proxy_element0


Once I have my image and my certificates, I just need to create my compose.yml file, exposing the ports I want, and mounting the volumes for the certificates. I created my own nginx.conf file with the configuration I needed and mounted it with ro rights.


Figure 3. Implementation diagram.


You can see all examples and code under my repositories:

References

[1] https://certbot.eff.org/

[2] https://letsencrypt.org/

[3] https://domains.google/

[4] https://github.com/aaomidi/certbot-dns-google-domains


Also published here.