nats.java icon indicating copy to clipboard operation
nats.java copied to clipboard

Published 20 hours ago verified publisher icon nats-io

Enable secure websocket connection behind TLS-terminating reverse proxy

Open flex-seongbok opened this issue 1 year ago • 8 comments

In reverse proxy environment that supports TLS-terminating(ex. AWS ELB) wss:// connection throws IOException("SSL connection wanted by client.")

This should only checked when using TLS not websocket

flex-seongbok avatar Nov 09 '23 08:11 flex-seongbok

Did you see that we specifically turned off upgradeRequired for websocket? So this won't work. Maybe the check should just be upgradeRequired Will have to think about this. Do you have a repeatable example or unit test for this? Would our new tls first connection option help your situation?

scottf avatar Nov 09 '23 16:11 scottf

Also please verify your commits, it's a requirement for contributing.

scottf avatar Nov 09 '23 16:11 scottf

Did you see that we specifically turned off upgradeRequired for websocket? So this won't work. Maybe the check should just be upgradeRequired Will have to think about this. Do you have a repeatable example or unit test for this? Would our new tls first connection option help your situation?

Thanks for feedback. Yes upgradeRequired is false when websocket protocol used, but secure websocket(wss://) makes isTLSRequired true so line:572 condition is also true. Our environment is under reverse-proxy that uses TLS-terminating which means serverInfo.isTLSRequired() is false.

also i tried tls first option but it throws exception and not makes sense when using secure websocket as mentioned in comment We are already communicating over "https" websocket, so do NOT try to upgrade to secure.

flex-seongbok avatar Nov 10 '23 07:11 flex-seongbok

Changed if condition statement.

Tried to making test but it seems not easy on unit test because this needs reverse proxy to test. Is it okay to use testcontainer to setup nginx or tomcat for reverse proxy?

Or i can make repeatable example using docker compose

flex-seongbok avatar Nov 10 '23 09:11 flex-seongbok

Tried to making test but it seems not easy on unit test because this needs reverse proxy to test. Is it okay to use testcontainer to setup nginx or tomcat for reverse proxy? Or i can make repeatable example using docker compose

Let's make a stand alone project for this and I will figure out how to get it integrated into our system. I can see it ending up as a project in the integration-tests repo the https://github.com/nats-io/integration-tests#integration-tests

scottf avatar Nov 10 '23 12:11 scottf

Tried to making test but it seems not easy on unit test because this needs reverse proxy to test. Is it okay to use testcontainer to setup nginx or tomcat for reverse proxy? Or i can make repeatable example using docker compose

Let's make a stand alone project for this and I will figure out how to get it integrated into our system. I can see it ending up as a project in the integration-tests repo the https://github.com/nats-io/integration-tests#integration-tests

Good. I will make a working integration test code using testcontainer and open PR on that repo. I think it might take a week roughly.

flex-seongbok avatar Nov 11 '23 09:11 flex-seongbok

Tried to making test but it seems not easy on unit test because this needs reverse proxy to test. Is it okay to use testcontainer to setup nginx or tomcat for reverse proxy? Or i can make repeatable example using docker compose

Let's make a stand alone project for this and I will figure out how to get it integrated into our system. I can see it ending up as a project in the integration-tests repo the https://github.com/nats-io/integration-tests#integration-tests

Good. I will make a working integration test code using testcontainer and open PR on that repo. I think it might take a week roughly.

I made a integration test on https://github.com/flex-team/nats.java/pull/1 Tried on integration-tests repo but i needed TestSSLUtils.

flex-seongbok avatar Nov 17 '23 05:11 flex-seongbok

@scottf Hi, did you checked integration test PR? How do you think?

flex-seongbok avatar Nov 23 '23 04:11 flex-seongbok

@scottf Hi, i have same problem. Do you have any plans to fix this?

OpenX-Public avatar Mar 26 '24 15:03 OpenX-Public

@flex-seongbok Hi, how did you fix this problem?

OpenX-Public avatar Mar 26 '24 15:03 OpenX-Public

@OpenX-Public can you please try again using the server feature handshake_first and the client option setting of tlsFirst() I'm also closing this as any fix would have to be re-written against the latest.

scottf avatar Mar 26 '24 18:03 scottf

@scottf hello. You guided me to use the handshake_first option on Nats Server, but if I use a TLS-terminating reverse proxy, the TLS connection will only happen between java-nats -> LB, and not between LB -> Nats Server.

That’s why it’s a bit weird to use the handshake_first option on Nats Server. Because Nats Server will never make a TLS connection.

OpenX-Public avatar Mar 27 '24 02:03 OpenX-Public

@flex-seongbok Hi, how did you fix this problem?

I couldn't fix this problem. I was doing PoC of NATS and this keep blocks me using NATS.

flex-seongbok avatar Mar 27 '24 13:03 flex-seongbok

@OpenX-Public can you please try again using the server feature handshake_first and the client option setting of tlsFirst() I'm also closing this as any fix would have to be re-written against the latest.

@scottf I tried below server option and tlsFirst on client but it didn't worked.

"leafnodes": {
  "tls": {
    "handshake_first": true
  }
}

There was a error log on nats-server

wid:39 - Client parser ERROR, state=0, i=0: proto='...'

We are experiencing this issue on reverse-proxy with TLS-termination environment. Client <--WSS(TLS)--> Proxy <--WS(PLAIN)--> NATS Mismatch of TLS configuration should be normal in this environment

flex-seongbok avatar Mar 27 '24 14:03 flex-seongbok