Two of the most important considerations for any website owner are security and speed. Historically, these goals have been ever at odds. One of the most effective techniques for insuring a consistent experience for end users is a caching layer. Varnish, the most well-known, does not natively support SSL/TLS. Luckily, by combining Varnish with a reverse proxy like nginx, we can take advantage of… [read more →]
HAProxy is an extremely powerful free and open-source load balancing solution. With it, you can insure high availability within your datacenter. Highly available systems are better for business continuity and better for security, as they can be patched with updates without taking the service down. A common pattern in the design of highly available systems is to use a pair of load balancers in… [read more →]
Transport Layer Security (TLS) provides the foundation for encryption in-flight. The first version of TLS, 1.0, replaced Secure Sockets Layer (SSL) in 1999. The latest version, 1.3, was finalized as a proposed standard in RFC 8446 in December of 2018. With it, comes enhancements in both speed and security. One of the biggest differences between TLS 1.2 and TLS 1.3 is that perfect forward secrecy… [read more →]
OCSP Stapling is an exciting technology supported by all recent servers and clients that with just a few minutes of your time will allow you to reduce the network load on your servers and provide faster load times for your sites and services. How it works SSL/TLS certificates signed by a Certificate Authority such as GeoTrust or Comodo must have a programmatic revocation mechanism. Traditionally,… [read more →]
Generating a CSR can be performed in a lot of different ways. However, only the Certificates MMC comes installed by default on Microsoft Windows clients and servers. It can be a little finicky at first, but once you understand the underpinnings of the utility, it is an excellent tool. Use these instructions to generate a Certificate Signing Request (CSR) in Microsoft Management Console (MMC).… [read more →]
Godaddy like to charge a premium price for SSL Certificates, even after they discount them. The good news is; you don't have to pay their high price. You can purchase an SSL Certificate at a much cheaper price and install it within minutes. This guide will go through the entire process to get you up and secure quick. It can be used to install a lower priced SSL Certificate, with the same security… [read more →]
SQL Server is a popular database platform choice for database-driven applications. Based on interpreting TSQL, Microsoft’s proprietary dialect of SQL, SQL Server facilitates remote connections to your structured data. Unfortunately, SQL Server is not secured by default. Other machines communicating with it over TCP Port 1433 are doing so in clear-text, and a sniffer like WireShark could intercept t… [read more →]
An authenticated SSL/TLS reverse proxy is a powerful way to protect your application from attack. Both users and bad actors first connect to the proxy (which should live in your organization’s DMZ) and need to provide some form of authentication before the proxy even initiates a session with the backing application. This extra layer of defense can protect against buffer overflow attacks and z… [read more →]
If you’re reading this article, you’re probably frustrated by the lack of relevant information about Squid, a very popular forward proxy. Some of these frustrations involve major usability changes occurring after minor software revisions, misconceptions about what’s actually happening behind-the-scenes, and genuinely poor documentation. This aims to be a comprehensive primer which will get you up an… [read more →]
Usually when we think about SSL/TLS and certificates the first thing that comes to mind are the certificates used by a web server – and this makes sense because it is by far the most common usage for them. However, the specification for x.509 certificates has a lot of other uses as well. To recap, a certificate is the public key in a public/private keypair (usually generated with RSA or ECDSA). A c… [read more →]