-
I'm having a devil of a time understanding how exactly rsync-ssl works operationally (with an example on the server side). How is the server side SSL set up? How is authentication happening? Is it just based on the certificate? Edit: I found this https://web.archive.org/web/20190410083254/http://dozzie.jarowit.net/trac/wiki/RsyncSSL (Wayne, you should include something like this on your man page).
The wording is a bit confusing above. Seems like it was hastily written. Not really complaining, smart people have stuff in their mind appearing faster then they can write on occasion ;) I'm on a systemd enabled debian server, seems like the suggestion is to run stunnel (in my case under systemd), telling stunnel to spawn rsync on startup as opposed to having two daemons running under systemd (stunnel and rsync separately)? Is this what is being suggested? Certainly seems efficient, though I've never spawned a process off of another with systemd. I don't think if you shut down stunnel via systemctl that it would kill the spawned rsync (or would it? how if so?). I can only use what comes with MacOS on the client side (security will not allow SSH outbound) and it comes with rsync and librassl but no stunnel (apple soft-links openssl to librassl). I'm allowed to copy the rsync-ssl script over to my Mac and use that if I can get it working. I'm hoping that Apple's use of librassl as oppsed to openssl does not break my plans. Apologies If my mind is being dense. Evidently nobody uses rsync-ssl or they do and nobody posts examples on their setup on the internet because I'm the only one who can't seem to grok it. thanks ahead of time for any assistance! |
Beta Was this translation helpful? Give feedback.
Replies: 1 comment 1 reply
-
See https://download.samba.org/pub/rsync/rsyncd.conf.5#SSL_TLS_Daemon_Setup for 2 example setups. They are both proxy setups, and expect that you use the Proxy Protocol standard that haproxy invented and nginx supports (which ensures that rsync gets the real IP info from the proxy side of the connection). If you do any IP-based rsync authentication, be sure that you limit access to rsync's non-tls port, as you don't want someone connecting to the backend port and pretending to be a proxy. If you don't have haproxy or nginx installed, I suggest going with haproxy as it is super small and super simple -- it just proxies things, and does it well. A forking approach is also possible, but is not documented. |
Beta Was this translation helpful? Give feedback.
See https://download.samba.org/pub/rsync/rsyncd.conf.5#SSL_TLS_Daemon_Setup for 2 example setups. They are both proxy setups, and expect that you use the Proxy Protocol standard that haproxy invented and nginx supports (which ensures that rsync gets the real IP info from the proxy side of the connection). If you do any IP-based rsync authentication, be sure that you limit access to rsync's non-tls port, as you don't want someone connecting to the backend port and pretending to be a proxy. If you don't have haproxy or nginx installed, I suggest going with haproxy as it is super small and super simple -- it just proxies things, and does it well.
A forking approach is also possible, but is n…