Allow to terminate TLS on backend/trusted server pool

[ypid]

Status: Pre research/idea

This is currently a research question for me. I had this idea for a while and want to keep track here.

Assumtion

Hosted servers are not trustworthy. Location of trusted servers should not be easily accessible.

Idea

Allow to setup a Webserver on a untrusted server (http and https), configure the webserver to redirect to https locally. Forward all traffic to a remote server (on semitrusted server(s)).

Possible technologies to implement this:

• Nginx
• OpenVPN
• OpenSSH
• Tinc
• Tor
• HAProxy
• Ncat

Visibility to the user

To make the trust level visable to users, consider the following subdomains:

• st.example.org: (TLS terminates on semitrusted servers), optionally semitrusted.example.org redirects to st.example.org.
• ut.example.org: (TLS terminates on untrusted server), optionally untrusted.example.org redirects to ut.example.org.
• www.example.org: (TLS terminates on untrusted server) could redirect to semitrusted server (if available, → "www.st.example.org") or the untrusted server as fall back (→ "www.ut.example.org").

[ypid]

This does not really work as I intended it. The problem is that the untrusted front end servers can perform a http-01 challenge against https://letsencrypt.org/ and thereby prove control over the domain and can then acquire valid certificates for the semitrusted domains. I thought it might be possible to block a domain somehow so that only the semitrusted server can act as such (without using another CA than https://letsencrypt.org/ or having something like HPKP). Better alternatives:

• Give up location anonymity for semitrusted servers and put them into DNS directly
• Tor Hidden Services, example: https://onion.debian.org/

[ypid]

That is the solution I was looking for https://onion.debian.org/, including load balancing 😉

It might also be something for DebOps, tracked: debops/docs#248