Closed cfgamboa closed 6 months ago
From doc (https://www.dcache.org/manuals/Book-9.2/config-xrootd.shtml#proxying-transfers-through-the-door):
If the door uses proxying, then when an open request arrives, a proxy instance will be launched on a new port and the client redirected to it as if it were the pool endpoint. The proxy serves as both façade and client to the pool by intercepting requests from the initiating client and passing them on to the pool transfer service, and similarly relaying responses from the pool back to the client. The connections between client and proxy on the one hand and proxy and pool on the other are independently established (this is necessary to support TLS, should that be requested or required), but after login is complete, all subsequent requests and replies are passed through the proxy without further interpretation.
My ubderstanding of this is the following - if TLS is enabled it is TLS all the way through. And there is no way to turn it off for door / pool communication.
What is your concern? Why do you want this disabled?
An optional configuration set might reduce resources (i.e cpu) if the pool and door are located in the same LAN. I am just trying to understand if this can be done, we have it enabled for webdav.
On May 15, 2024, at 3:16 PM, Dmitry Litvintsev @.***> wrote:
From doc (https://www.dcache.org/manuals/Book-9.2/config-xrootd.shtml#proxying-transfers-through-the-door):
If the door uses proxying, then when an open request arrives, a proxy instance will be launched on a new port and the client redirected to it as if it were the pool endpoint. The proxy serves as both façade and client to the pool by intercepting requests from the initiating client and passing them on to the pool transfer service, and similarly relaying responses from the pool back to the client. The connections between client and proxy on the one hand and proxy and pool on the other are independently established (this is necessary to support TLS, should that be requested or required), but after login is complete, all subsequent requests and replies are passed through the proxy without further interpretation. My ubderstanding of this is the following - if TLS is enabled it is TLS all the way through. And there is no way to turn it off for door / pool communication.
What is your concern? Why do you want this disabled?
— Reply to this email directly, view it on GitHub https://github.com/dCache/dcache/issues/7574#issuecomment-2113291590, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIHMOZ3T5Y5DWAM7FZ5UF3ZCOYBFAVCNFSM6AAAAABHYWF55GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJTGI4TCNJZGA. You are receiving this because you authored the thread.
might or you are actually impacted?
xroots was not enabled due to issue reported in [www.dcache.org #10562]
On May 15, 2024, at 4:36 PM, Dmitry Litvintsev @.***> wrote:
might or you are actually impacted?
— Reply to this email directly, view it on GitHub https://github.com/dCache/dcache/issues/7574#issuecomment-2113413101, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIHMO343F5PMGOGXKTF4C3ZCPBNNAVCNFSM6AAAAABHYWF55GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJTGQYTGMJQGE. You are receiving this because you authored the thread.
So, since issue RT issue #10562 is closed, this here is not the issue as well?
The question here is different. And you have answered before, currently the only encryption workflow supported is enforcing the encryption all the way client->xrootdoor-> pool.
This ticket can be closed.
Carlos
On May 15, 2024, at 7:24 PM, Dmitry Litvintsev @.***> wrote:
So, since issue RT issue #10562 is closed, this is not here the issue as well? \
— Reply to this email directly, view it on GitHub https://github.com/dCache/dcache/issues/7574#issuecomment-2113643943, or unsubscribe https://github.com/notifications/unsubscribe-auth/AHIHMO7ANLCDGGXIJAHJ77DZCPVBRAVCNFSM6AAAAABHYWF55GVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMJTGY2DGOJUGM. You are receiving this because you authored the thread.
Dear all,
Currently, WebDAV doors are implemented with a configuration flag property to enforce encryption between the door and the pool for read and write transfers. The encryption is done between the client and the door, but it is optional for the door and the pool when the WebDAV door is enabled in proxy mode.
I do not think this property or flag is implemented for XRootD door.
Could you please advise?
All the best, Carlos