TLS
Ingress
By default gecholog
listens http
port 5380
but can easily be configured to https
via the options in /app/conf/gl_config.json
.
Extract of the /app/conf/gl_config.json
for the main gecholog
service and /app/conf/gui_config.json
for the web interface related to ingress https
{
"tls": {
"ingress": {
"enabled": false,
"certificate_file": "./app/conf/cert.pem",
"private_key_file": "./app/conf/key.pem"
}
}
}
When the setting enabled=true
is applied, it guarantees that ingress communications is secured with TLS encryption. This adds a vital layer of security, especially crucial in production environments. To initiate a secure TLS ingress session, gecholog
will read the certificate_file
and private_key_file
from the specified file paths in the configuration file. Ensure that the certificate and key provided are appropriate for the environment gecholog
is running in. If enabled=false
, the certificate_file
and private_key_file
fields will be ignored.
certificate_file
This is the local path to the certificate file used for TLS. This certificate file should be a valid PEM-encoded file and must be provided if enabled=true
.
private_key_file
This specifies the local path to the private key file for the TLS certificate. It must be in PEM format and is required if enabled=true
.
NOTE: Consider changing port to
443
or8443
in the/app/conf/gl_config.json
when activating TLSenabled=true
.
Remember to restart the gecholog
container for the changes to take effect or create your Custom Docker Image using your new settings. The certificate and key files should be kept secure.
Test ingress with self-signed certificates
For those interested in experimenting with the TLS enabled=true
setting in a development setup, you have the option to generate your own self-signed certificates (note: not suitable for production use).
openssl req -x509 -newkey rsa:4096 -keyout key.pem -out cert.pem -days 365 -nodes
Upload the key.pem
and cert.pem
files to the container, make sure the /app/conf/gl_config.json
is referencing them correctly and set enabled=true
. Restart the container and try
curl -k -X POST ^
-H "Content-Type: application/json" ^
-d "{\"message\":{\"content\": \"Hello World!\"}}" ^
https://localhost:5380/echo/
curl -k -X POST -H "Content-Type: application/json" -d '{
"message":
{
"content": "Hello World!"
}
}' 'https://localhost:5380/echo/'
NOTE:
https
request and the-k
flags allows curl to make a request even though the certificates are self-signed.
This request is using the /echo/
router and should respond with
{
"message": {
"content": "Hello World!"
}
}
Outbound
gecholog
gives you the option to configure outbound tls
traffic terms in the configuration files. You can configure to use system certificates, custom certificate files or during development test connecting via insecure=true
option.
These settings exist in both /app/conf/gl_config.json
and /app/conf/nats2log_config.json
.
{
"tls": {
"outbound": {
"insecure": false,
"system_cert_pool": true,
"cert_files": [ ]
}
}
}
If gecholog
container should use the system certificate pool set system_cert_pool=true
. cert_files
accepts an array of ca.crt
container path filenames. These will be appended to the cert pool and can be used with or without system_cert_pool=true
. You can make ca.crt
files available to the container via volume mount of by creating your own Dockerfile. The insecure=true
allows the service to make outbound https
calls even though the target is not trusted (note: recommended only for dev setups).
TLS for service bus
gecholog
uses nats
service bus for logging and to be able to connect custom processors. To be enable TLS connection on port 4222
it is recommended move the internal services to an adjacent port that is not exposed outside the container for http
traffic. For example port 4223
. The nats-server.conf
file could look something like this:
# Global Authorization
authorization {
token: $NATS_TOKEN
}
# Listener for external clients with TLS
listen: 0.0.0.0:4222
tls {
# Paths to the TLS server certificate and key
cert_file: "/path/to/server-cert.pem"
key_file: "/path/to/server-key.pem"
# Require a client certificate for external connections
verify_and_map: true
# Optional: CA file for verifying client certificates
ca_file: "/path/to/ca.pem"
}
# Listener for internal clients without TLS
# Use a different port for internal connections
listen: 127.0.0.1:4223