When setting up an rsync daemon for access via SSL/TLS, you will
need to configure a proxy (such as haproxy or nginx) as the
front-end that handles the encryption.
o You should limit the access to the backend-rsyncd port to
only allow the proxy to connect. If it is on the same
host as the proxy, then configuring it to only listen on
localhost is a good idea.
o You should consider turning on the proxy protocol
parameter if your proxy supports sending that information.
The examples below assume that this is enabled.
An example haproxy setup is as follows:
frontend fe_rsync-ssl
bind :::874 ssl crt /etc/letsencrypt/example.com/combined.pem
mode tcp
use_backend be_rsync
backend be_rsync
mode tcp
server local-rsync 127.0.0.1:873 check send-proxy
An example nginx proxy setup is as follows:
stream {
server {
listen 874 ssl;
listen [::]:874 ssl;
ssl_certificate /etc/letsencrypt/example.com/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/example.com/privkey.pem;
proxy_pass localhost:873;
proxy_protocol on; # Requires "proxy protocol = true"
proxy_timeout 1m;
proxy_connect_timeout 5s;
}
}
