Return-Path: X-Original-To: apmail-cassandra-user-archive@www.apache.org Delivered-To: apmail-cassandra-user-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 2779B7236 for ; Thu, 11 Aug 2011 21:54:58 +0000 (UTC) Received: (qmail 87620 invoked by uid 500); 11 Aug 2011 21:54:55 -0000 Delivered-To: apmail-cassandra-user-archive@cassandra.apache.org Received: (qmail 87457 invoked by uid 500); 11 Aug 2011 21:54:54 -0000 Mailing-List: contact user-help@cassandra.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: user@cassandra.apache.org Delivered-To: mailing list user@cassandra.apache.org Received: (qmail 87439 invoked by uid 99); 11 Aug 2011 21:54:54 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Aug 2011 21:54:54 +0000 X-ASF-Spam-Status: No, hits=2.2 required=5.0 tests=HTML_MESSAGE,RCVD_IN_DNSWL_LOW,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (nike.apache.org: local policy) Received: from [209.85.210.174] (HELO mail-iy0-f174.google.com) (209.85.210.174) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 11 Aug 2011 21:54:46 +0000 Received: by iyf40 with SMTP id 40so282267iyf.33 for ; Thu, 11 Aug 2011 14:54:25 -0700 (PDT) MIME-Version: 1.0 Received: by 10.231.116.72 with SMTP id l8mr309430ibq.94.1313099665156; Thu, 11 Aug 2011 14:54:25 -0700 (PDT) Received: by 10.231.26.6 with HTTP; Thu, 11 Aug 2011 14:54:25 -0700 (PDT) X-Originating-IP: [71.202.90.180] Date: Thu, 11 Aug 2011 14:54:25 -0700 Message-ID: Subject: Client traffic encryption best practices.... From: Chris Marino To: user@cassandra.apache.org Content-Type: multipart/alternative; boundary=00163692059f18aa4004aa41d71e X-Virus-Checked: Checked by ClamAV on apache.org --00163692059f18aa4004aa41d71e Content-Type: text/plain; charset=ISO-8859-1 Hello, is there any consensus on how to secure client/cluster communications??? I'm running an 8 node cluster across EC2 regions. I'm running inter-node encryption and I want to encrypt the traffic from the clients as well. My options seem to be: Have the client connect to only one node and encrypt that one connection with OpenVPN/stunnel (or something similar). Or, set up an encrypted tunnel from the client to each node. Is there a client library that could take care of this for me?? Setting up tunnels to each node is a major pain, but pointing the client to only one node is going to kill my performance. I'm running 4 nodes in each EC2 region with one client in each. Maybe I could connect the client only to the local nodes, which should simplify things a bit, but I was wondering if anyone had any experience with this or could suggest something that might be better. Please let me know. Thanks. CM --00163692059f18aa4004aa41d71e Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Hello, is there any consensus on how to secure client/cluster communication= s???

I'm running an 8 node cluster across EC2 region= s.=A0=A0I'm running inter-node encryption=A0and I want to encrypt the t= raffic from the clients as well.

My options seem to be:

Have th= e client connect to only one node and encrypt that one connection with Open= VPN/stunnel (or something similar). Or, set up an encrypted tunnel from the= client to each node. Is there a client library that could take care of thi= s for me??

Setting up tunnels to each node is a major pain, but po= inting the client to only one node is going to kill my performance. =A0I= 9;m running 4 nodes in each EC2 region with one client in each. Maybe I cou= ld connect the client only to the local nodes, which should simplify things= a bit, but I was wondering if anyone had any experience with this or could= suggest something that might be better.

Please let me know.

Thanks.

CM --00163692059f18aa4004aa41d71e--