sozu icon indicating copy to clipboard operation
sozu copied to clipboard

Published 20 hours ago verified publisher icon sozu-proxy

Add protocol info to backends

Open Geal opened this issue 8 years ago • 6 comments

Right now, connections to backends are done in plain TCP. We should support connecting to backends in TLS.

Issues that can appear:

  • certificate validation: do we use a certificate store? Do we pin a public key for the backend? (probably have to support both)
  • for HTTP/2, we might need to connect to backends in TLS (if we do end to end HTTP/2 #99 )
  • do we force TLS only connection to a backend?
  • do we support connecting to a backend listening on a unix socket? (#152)

HTTP/2 might need more info, like "this backend server can use TLS but does not support HTTP/2".

It might be useful to pass this info in configuration at the app level, not at the backend level, to make sure all backends behave in the same way. But that could mean we have an application with plaintext HTTP on the frontend, and HTTPS on the backend?

Geal avatar Oct 18 '17 09:10 Geal

Regarding http2 I think the best solution is to reuse code and idea from hyper crate?

shirshak55 avatar Jul 12 '20 15:07 shirshak55

hyper uses the h2 crate, and that crate relies heavily on futures and tokio. As sozu uses its own event loop based on mio, it would not be compatible

Geal avatar Jul 12 '20 16:07 Geal

We are in 2021, can we expect secured connexions between Sozu and backend soon?

dlecan avatar Mar 12 '21 05:03 dlecan

to be transparent, our focus (at @CleverCloud) for this has been instead on encrypting communications at a lower layer, through wireguard. It is less complex to distribute wireguard keys and set up networks, than setting up a PKI, distributing certificates and either installing them in a different way for each backend server, or adding another proxy for TLS termination near the backend.

The feature is not particularly hard to add though, creating a new type of socket for backends should make some easily self contained code. IIRC I had some code for that somewhere, I'll see if I can dig it out.

Geal avatar Mar 13 '21 10:03 Geal

our focus (at @CleverCloud) ... encrypting communications at a lower layer, through wireguard.

:clap: I'm a client :-) We shouldn't discuss this here, but, well, I don't know where to ask fo it :wink: Is encryption already available between your reverse-proxies and application backends?

dlecan avatar Mar 15 '21 16:03 dlecan

you can ask on our support chat :smiley: It is not available yet, we're currently testing the wireguard deployment

Geal avatar Mar 18 '21 08:03 Geal