Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[EDIT] securing_nats tls.md re: TLS-Terminating Reverse Proxies #703

Open
wants to merge 6 commits into
base: master
Choose a base branch
from
Open

[EDIT] securing_nats tls.md re: TLS-Terminating Reverse Proxies #703

Changes from all commits
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
8c99617
[EDIT] securing_nats tls.md re: TLS-Terminating Reverse Proxies
scottf Jun 14, 2024
b3a5106
Add versions
scottf Jun 14, 2024
4c6c4cc
js version
scottf Jun 14, 2024
37d5640
Fixed typo
scottf Jun 14, 2024
eaebbd8
updated go version
scottf Jun 14, 2024
bdafc71
Update rust version
scottf Jun 20, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
47 changes: 14 additions & 33 deletions running-a-nats-service/configuration/securing_nats/tls.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -166,41 +166,22 @@ openssl x509 -noout -text -in client-cert.pem

## TLS-Terminating Reverse Proxies

Due to the nature of the TLS upgrade mechanism NATS uses, using a [TLS-terminating reverse proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) with NATS is not supported. However, there are workarounds that can be used in the client libraries to make it work.
Using a [TLS-terminating reverse proxy](https://en.wikipedia.org/wiki/TLS_termination_proxy) with NATS requires some specific configuration on the server.
In a typical proxy scenario, the client to proxy communication is secured and the proxy to server is insecure. This causes a "mismatch" because the server appears to be insecure
but the client is told to connect securely. To fix this, the server must be configured as "tls available". This is done via an empty `tls` block and the `allow_non_tls` flag.

### nats.go

Provide a [CustomDialer](https://github.com/nats-io/nats.go/blob/cd74bc037e7c4ec3e5dc4cbcd93b669c1f4e3778/nats.go#L217).

### nats.java

```java
package io.nats.client.impl;

public class TlsSocketDataPort extends SocketDataPort {
@Override
public void connect(String serverURI, NatsConnection conn, long timeoutNanos) throws IOException {
super.connect(serverURI, conn, timeoutNanos);
this.upgradeToSecure();
}
}
```

```java
Nats.connect(new Options.Builder()
.server(server)
.dataPortType("io.nats.client.impl.TlsSocketDataPort")
.build())
tls {}
allow_non_tls: true
```

### nats.js

See: <https://github.com/nats-io/nats.js/issues/369>

### nats.rs

See: <https://github.com/nats-io/nats.rs/blob/main/async-nats/src/connector.rs>

### nats.net
Once this is configured, your client can connect to the proxy with normal (language specific) tls configuration. Please make sure you are using the appropriate version of your language specific client.

See: <https://github.com/nats-io/nats.net/tree/main/src/Samples/TLSReverseProxyExample>
| Client | Version |
| --- | --- |
| nats.go | v1.31.0 |
| nats.js | 2024.1.2 |
| nats.java | 2.18.0 |
| nats.rs | 0.33 |
| nats.net.v2 | 2.0.0 |
| nats.net (v1) | 1.1.5 |