nsqlookupd/nsqd: TLS on intra-cluster communication

[ninjacato]

According to this email conversation NSQ assumes that connections between nsqd and nsqlookupd is on a trusted network. Hence, TLS communication is only possible between clients and nsqd. I'm looking at use cases where nsqd and nsqlookupd would be located on geo-distributed systems where there isn't necessarily any "network security guarantees".

Proposal: Would you be interested in a pull request adding an option for TLS-wrapped communication between nslookupqd and nsqd?

[ploxiln]

An interesting complication is that nsqd connects to nsqlookupd with a binary nsq-specific protocol over TCP, and also makes some http requests to nsqlookupd on the http port. This has been a "would be nice to clean up but no one has cared enough yet" sort of thing.

[dentm42]

One method I've contemplated to resolve this is using autossh and ssh port forwarding. I use this successfully in other scenarios to set up a pseudo-vpn with low overhead and fairly easy administration. Anybody tried with NSQ (I'm just starting an implementation, will update with any gotchas I run across.)

[funnylookinhat]

Bumping this request - would be incredibly useful. Having TLS to handle outside communication is nice, but there are a bunch of scenarios where this would be necessary to actually have a secure deployment.