-
Notifications
You must be signed in to change notification settings - Fork 58
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use same lnd's cert
package to create TLS config to fix TLS cipher suites
#35
Conversation
67237f4
to
136ebc8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We tested the new setup with insecure: true
in the aperture.yaml
when booting the full nautilus stack behind a AWS NLB and it works.
The new setup looks like this now:
loop-client ---http2-over-tls--->NLB----http2---->aperture----http2-over-tls--->nautilus
The external TLS connection is terminated on the NLB which also presents the official TLS certificate registered to nautilus.lightningcluster.com.
We ended up disabling TLS to get it to work. There seems to be a general problem with TLS and load balancers. |
aperture.go
Outdated
@@ -138,6 +152,17 @@ func start() error { | |||
} | |||
log.Infof("Done generating TLS certificates") | |||
} | |||
|
|||
// Load the certs now so we can create a complete TLS config. | |||
certData, _, err := cert.LoadCert(tlsCertFile, tlsKeyFile) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Cert loading needs to move to the next commit?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not really, we can't create a valid TLSConfig
without the certificate.
proxy/proxy.go
Outdated
@@ -70,8 +71,15 @@ func (p *Proxy) ServeHTTP(w http.ResponseWriter, r *http.Request) { | |||
} | |||
defer logRequest() | |||
|
|||
// PRI requests are an internal check of HTTP/2 which we just have to | |||
// say OK to. | |||
if r.Method == "PRI" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more info on this would be nice. What problem do we have if we don't answer?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Removed the whole commit. We did try out some stuff with this but I think in the end (with TLS turned off, this is not needed anymore). Same with the following 2 commits.
We tested this again on the AWS cluster and confirmed it still works. |
We need to use safe TLS1.2 cipher suites that are also accepted by the golang
http2
library. Turns out, that is a subset of what we currently use inlnd
.