A couple more tips today – reverse proxy and consistent device naming.
Got a web service that doesn’t have SSL support? Sadly, they’re more common than they should be. The solution is simple though: put a reverse proxy in front of it.
Deploy haproxy (for example, ghostunnel is another option) on the same node, configure haproxy to bind on a port and present your certificate, then set your unsecured service as the only backend. Firewall off the service’s unsecured port from outside access – better yet, if you can, configure the unsecured service to bind against localhost only.
Just like that you’ve got a TLS secured endpoint. Your reverse proxy will terminate the TLS connection and proxy you to the unsecured service. Since that proxy occurs over the local system, cleartext data is not exposed on your network. Good use cases for this include the Prometheus Node Exporter, which currently doesn’t support listening on TLS (bug here).
When is /dev/sda not /dev/sda?
Answer: when the kernel probes disks in a different order on the next boot and names them differently. You can’t rely on the default device naming to be consistent across reboots.
Here’s an example: I recently deployed a storage cluster with storage nodes of identical design across the fleet. My OS root disks were probed as different /dev/sdX devices on each node. I couldn’t rely on those /dev/sdX devices in my kickstarts, so I needed something more reliable.
The udev system helps you wish this by creating a number of useful symlinks that are reliable. These symlinks created under /dev/disk/*. /dev/disk/by-path is a helpful one – it gives you a consistent symlink based on the device’s PCI path. /dev/disk/by-id uses the unique ID of the drive.
Use the reliable symlinks where you can – it’ll save you grief in the long run.