gomods
INF-13413
Extended to support mTLS for connection between a reverse proxy and Athens
Enabled by adding TLSCACERTFILE to the configuration file.
What is the problem I am trying to address?
Enabling mTLS to harden network connectivity between a reverse proxy eg. nginx and Athens.
How is the fix applied?
Code as been extended adding a configuration option TLSCACERTFILE. If present, the http server will be configured to require the certificate from the reverse proxy on connection requestion
What GitHub issue(s) does this PR fix or close?
N/A
hey @nickhyoti - I took a glance at this and it looks reasonable. do you have a use case for it in your environment where you run Athens though?
We have put this forward as we want to
- Reduce the attack surface of the service. By mandating a connection through nginx reverse proxy (our test config), connections to Athens are restricted.
- Ensure connectivity is encrypted within the interconnecting components
- Eliminate the risk of incorrect interconnection of components
To support demonstration/testing, I have created a directory mtls which contains a docker-compose override to create a nginx container dependent on Athens dev container and also some test certificate directories. The frontend directory certificates are deployed on the reverse proxy, the backend are used by the proxied connection to Athens. Configuration files are provided to support this in the nginx/conf.d directory.
To enable and test, run docker-compose -f docker-compose.yml -f mtls/mtls.yaml up --build
docker ps will show that the athens_dev_1 and nginx_1 containers are running,listening on ports 80 & 443 for nginx, and port 3000 for athens
Testing connections using curl to port 3000 on Athens will return
curl: (56) OpenSSL SSL_read: error:14094412:SSL routines:ssl3_read_bytes:sslv3 alert bad certificate, errno 0
To connect,
curl -k --cert web.cert.pem --key web.key.pem https://localhost:3000
Note that the certificates provided are only for demonstration purposes.