nats-server
nats-server copied to clipboard
nats-io
Hiding TLS certs
Hi!
I am developing app with microservice arch. Microservices push and consume messages with NATS. In feature i will deploy my app on customer's hardware, and i must be sure, that the customer will not be able to replace my microservices with their own and modify messages. For this purpose i use TLS connection and embed certificates in my microservices and hide their from customer. But NATS takes TLS certificates explicit.
How can i hide TLS certificates? Thanks for answer!
Are you talking about the server or a client app in terms of "takes TLS certificates explicit"?
There are various approaches, looping in a few folks who should be able to help.
Hi @alexey-sderzhikov. Just to confirm, only the microservice is being deployed on the customer's hardware and not the server, correct? And the goal is that you want a client connection to not have to read the certs from disk, but it should be embedded in the application code (which presumably is compiled/byte code)?
Hi! Not exactly, microcervices(clients) and NATS(server) will deployed on customer's hardware as well. Hide certs into compiled clients no problem for me, because i will deploy app with docker images, and can embed certs on build stage in Dockerfile. The goal is embed certs into NATS, like i did for my microservices.
You can embed nats server in your own code and then configure it that way.
However, be aware that embedding keys in your code is not secure typically unless you go to great lengths.
I am not sure I understood, you mean I can modify NATS source code, embed my certs and build my own binary?
No need to modify the source. You can start the server in a go routine of your own code and supply certs to it however you like using a go TLSconfig.
Hm, i.e. i need to make my own main.go where i will configure opts with TLSconfig paste them into server creating and then call server.Run() like in main.go?