Last active
May 27, 2019 06:39
-
-
Save KowalczykBartek/37c882941e6827130350175bb07a7bcf to your computer and use it in GitHub Desktop.
Dynomite NGINX SSL/TLS Termination
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
what ? | |
- As we know Dynomite doesn't support any kind of authentication, so, to make security teams happy, we need to obey this somehow. | |
One of possibilities is SSL Termination, our Redis client (Jedis for java) will not talk with Dynomite directly but will request NGINX, | |
NGINX will check client's certificate and if cert is valid, request will be forwarded to Dynomite. | |
technically how ? | |
- In normal setup Dynomite requires (for each instance) Dynomite and Redis, in secure setup you will need additionally NGINX, | |
and this will be only one open port. | |
With this sample configuration, both Client and Server needs to trust themselves. | |
1. Generate keys and certs | |
- generate all keys according to this tutorial: | |
-- http://nategood.com/client-side-certificate-authentication-in-ngi | |
2. Setup NGNIX | |
- install ngnix | |
{ | |
- you need stream SSL/TLS support in NGINX | |
-- on OSX this should work : brew install nginx-full --with-stream | |
} | |
- start redis | |
- configure your NGNIX as follows : | |
- don;t forget include error_log - YOU WILL LOVE THAT ! | |
------------------------------------------- config.file | |
error_log /XXXXX/logs.log debug; | |
stream { | |
upstream redis { | |
server localhost:6379; | |
} | |
server { | |
listen 8080 ssl; | |
proxy_pass redis; | |
ssl_certificate /XXXXX/server.crt; | |
ssl_certificate_key /XXXXX/server.key; | |
ssl_client_certificate /XXXXX/ca.crt; | |
ssl_verify_client on; | |
} | |
} | |
------------------------------------------- | |
3. Client(java here) side | |
For java client, we need | |
PKCS12 - both private key and cert included there (with only client certificate imported(with no key), | |
client will log "Warning: no suitable certificate found - continuing without client authentication" and will not be able to authenticate to NGINX, | |
and because of that, NGINX will reject us) | |
How to configure Dyno client, please refer to tests cases from https://github.com/Netflix/dyno/pull/184 | |
and in JKS store we need server cert also (we need to turst NGNIX) | |
openssl pkcs12 -export -out client.p12 -inkey client.key -in client.crt -certfile ca.crt | |
keytool -importkeystore -srckeystore client.p12 -srcstoretype pkcs12 -destkeystore client.jks -deststoretype JKS | |
keytool -importcert -file server.crt -keystore client.jks -alias "somealiast" | |
now, using client.jks you can request NGINX with properly configured java truststore and keystore. | |
how to import it in java look at my sample project https://github.com/KowalczykBartek/netty-securechat | |
4. links | |
https://pubs.vmware.com/view-51/index.jsp?topic=%2Fcom.vmware.view.certificates.doc%2FGUID-17AD1631-E6D6-4853-8D9B-8E481BE2CC68.html | |
http://www.webfarmr.eu/2010/04/import-pkcs12-private-keys-into-jks-keystores-using-java-keytool/ | |
http://nategood.com/client-side-certificate-authentication-in-ngi |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment