New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Consider allowing drivers to use encrypted connections #3158
Comments
Another alternative would be to give people a script that sets up an SSH tunnel for them. That's less nifty, but a lot easier. |
@mlucy I agree it would be a lot less work to provide users with a python script that sets up an ssh tunnel or something basic for them to use and if they want something more advance then they should set that up on there own. @coffeemug if you just want some basic python or something scripts that can create ssh tunnels for usrs to connect to there rethinkdb cluster then I can make some easy scripts for something like that. |
+1 on built-in encryption option |
+1 for built-in encryption. So far I'm using the following snippet on my node.js clients: var net = require('net');
var tls = require('tls');
net.createServer(function (socket) {
socket.pipe(tls.connect(38015)).pipe(socket);
}).listen(28015); Then the client connects to An SSH tunnel is something else to manage, monitor and make sure its running. Also, what's keeping you guys from making rethinkdb serve it's API over TLS connections ? |
@joaojeronimo sorry for the late response:
We'd actually really like to do that. There are different options for this, and we discussed some of them in #3151 (comment) . While that thread is about intra-cluster connections, we'll probably provide the same thing for client connections as well. |
That would be great. Do you guys have this scheduled ? |
@joaojeronimo Not yet. We'll rely on external proxies (like |
Cross-posting this for more exposure: I made a guide to setting up a RethinkDB cluster with native TLS which uses an experimental build from that aforementioned pull request. |
Similar to #3151 for intra-cluster communication, I believe there are a few things we can do to make working with encrypted client connections much easier.
Here's my proposal:
Assume the user has set up a tool such as stunnel (https://www.stunnel.org/index.html) on the server to allow incoming SSL connections to RethinkDB's client port.
We could extend the official drivers to support connecting to the server through SSL. From the user's perspective, this would take two things:
r.connect()
to enable SSLIn combination with the auth keys we already have and a firewall that restricts incoming connections to specific IP addresses, this would provide some reasonable level of security for running RethinkDB on unprotected networks.
It's not quite sufficient for just exposing the encrypted client port to the Internet though, since we might expose security vulnerabilities even before the auth key is validated (plus there's a high potential for DoS and brute force attacks).
To make that work, we should also investigate options to use a client-side certificate. I'm not very familiar with how that works with SSL, but it would be great if one could just configure stunnel on the server to check for a certain client certificate, and have another option in our drivers to supply one.
The text was updated successfully, but these errors were encountered: