[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections

> I want to be able to specify which listeners require encryption.

If you're willing to concede that will never appear outside of
your loopback interface, you can synthesize this by checking peer IPs.

# is allowed, regardless of ssf. world at large needs ssf check
access to dn.<dnstyle1>=<what1>
        by peername.ip= <access1>
        by * none break
# We're not coming via loopback; ssf must be checked.
access to dn.<dnstyle1>=<what1>
        by ssf=128 <access2>
        by * none