TLS

Ingress

By default gecholog listens http port 5380 but can easily be configured to https via the options in /app/conf/gl_config.json.

Extract of the /app/conf/gl_config.json for the main gecholog service and /app/conf/gui_config.json for the web interface related to ingress https

{
    "tls": {
        "ingress": {
            "enabled": false,
            "certificate_file": "./app/conf/cert.pem",
            "private_key_file": "./app/conf/key.pem"
        }
    }
}

When the setting enabled=true is applied, it guarantees that ingress communications is secured with TLS encryption. This adds a vital layer of security, especially crucial in production environments. To initiate a secure TLS ingress session, gecholog will read the certificate_file and private_key_file from the specified file paths in the configuration file. Ensure that the certificate and key provided are appropriate for the environment gecholog is running in. If enabled=false, the certificate_file and private_key_file fields will be ignored.

certificate_file

This is the local path to the certificate file used for TLS. This certificate file should be a valid PEM-encoded file and must be provided if enabled=true.

private_key_file

This specifies the local path to the private key file for the TLS certificate. It must be in PEM format and is required if enabled=true.

NOTE: Consider changing port to 443 or 8443 in the /app/conf/gl_config.json when activating TLS enabled=true.

Remember to restart the gecholog container for the changes to take effect or create your Custom Docker Image using your new settings. The certificate and key files should be kept secure.

Test ingress with self-signed certificates

For those interested in experimenting with the TLS enabled=true setting in a development setup, you have the option to generate your own self-signed certificates (note: not suitable for production use).

openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes

Upload the key.pem and cert.pem files to the container, make sure the /app/conf/gl_config.json is referencing them correctly and set enabled=true. Restart the container and try

Windows Command Line

curl -k -X POST ^
     -H "Content-Type: application/json" ^
     -d "{\"message\":{\"content\": \"Hello World!\"}}" ^
     https://localhost:5380/echo/

MacOS/Linux

curl -k -X POST -H "Content-Type: application/json" -d '{ 
    "message":
      {
        "content": "Hello World!"
      }
  }' 'https://localhost:5380/echo/'

NOTE: https request and the -k flags allows curl to make a request even though the certificates are self-signed.

This request is using the /echo/ router and should respond with

{ 
    "message": {
        "content": "Hello World!"
    }
}

Outbound

gecholog gives you the option to configure outbound tls traffic terms in the configuration files. You can configure to use system certificates, custom certificate files or during development test connecting via insecure=true option.

These settings exist in both /app/conf/gl_config.json and /app/conf/nats2log_config.json.

{
    "tls": {
        "outbound": {
            "insecure": false,
            "system_cert_pool": true,
            "cert_files": [ ]
        }
    }
}

If gecholog container should use the system certificate pool set system_cert_pool=true. cert_files accepts an array of ca.crt container path filenames. These will be appended to the cert pool and can be used with or without system_cert_pool=true . You can make ca.crt files available to the container via volume mount of by creating your own Dockerfile. The insecure=true allows the service to make outbound https calls even though the target is not trusted (note: recommended only for dev setups).

TLS for service bus

gecholog uses nats service bus for logging and to be able to connect custom processors. To be enable TLS connection on port 4222 it is recommended move the internal services to an adjacent port that is not exposed outside the container for http traffic. For example port 4223. The nats-server.conf file could look something like this:

# Global Authorization
authorization {
    token: $NATS_TOKEN
}

# Listener for external clients with TLS
listen: 0.0.0.0:4222
tls {
  # Paths to the TLS server certificate and key
  cert_file: "/path/to/server-cert.pem"
  key_file: "/path/to/server-key.pem"
  # Require a client certificate for external connections
  verify_and_map: true
  # Optional: CA file for verifying client certificates
  ca_file: "/path/to/ca.pem"
}

# Listener for internal clients without TLS
# Use a different port for internal connections
listen: 127.0.0.1:4223