Hi. I'm running my master and one slave at one VM provider, and have a slave at a different VM provider (eg. DigitalOcean and Azure). While this is not likely a common scenario, I'd like to ensure that communication between the two servers is encrypted. Who is communicating with whom, and what service/protocol/port? Thanks, Chris
Most likely it is not. ISPConfig slaves connect to the master via mysql, and mysql is not encrypted by default (possibly depending on the config your OS uses, but certainly under debian it's all plain text, though the mysql account password itself is sent encrypted). If you have any other services that talk between the master and slave you'd have to examine their config separately. Eg. say you had postfix/mail running on both, if you have a certificate setup on both sides, then likely mail in both directions will be sent over a TLS connection (your log entries will indicate that). DNS between the two is probably unencrypted. SSH will be encrypted. FTP may or may not be, it depends if you have a certificate setup and what the ftp client supports. There's probably not much http/imap/pop traffic across servers like that, though it is possible.
On a semi-related note, I plan to post a mini-howto to use letsencrypt certificate for mysql - but I'm still letting letsencrypt 'settle in', making sure all certificate rotation happens correctly and services restarted correctly, which is still work in progress, though has had some good discussion lately, and changes in ispconfig code that sound promising.
As Jesse explained, the connection that ISPConfig makes is a standard MySQL connect from slave to master. One way to secure it might be to build a VPN between the nodes and let MySQL connect trough the private network.
Thanks for the replies. I found this in the 3.2 roadmap: https://git.ispconfig.org/ispconfig/ispconfig3/issues/2130 In it Till, you mention implementing a secure API for inter-server communication that will eliminate the insecure MySQL connections. Is this really on the roadmap for 3.2, which is slated for April 2017?
I'm not sure if we will be able to have it for 3.2, might be that this feature has to be moved to 3.3 in October.
Hi, in the roadmap is to read that version 3.2 is to be released in April. Is there any problems or is version 3.2 not released?
There are no problems, it is just not finished yet. We'll announce releases on our blog, on twitter and facebook, so you can see there when it is released.
