[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: forcing encryption for external server access while allowing unencrypted localhost connections



> I want to be able to specify which listeners require encryption.

If you're willing to concede that 127.0.0.0/8 will never appear outside of
your loopback interface, you can synthesize this by checking peer IPs.

# 127.0.0.1 is allowed, regardless of ssf. world at large needs ssf check
access to dn.<dnstyle1>=<what1>
        by peername.ip=127.0.0.1 <access1>
        by * none break
# We're not coming via loopback; ssf must be checked.
access to dn.<dnstyle1>=<what1>
        by ssf=128 <access2>
        by * none