Add support for TLS

Question

Add support for TLS

chadbean opened this issue a year ago · 10 comments

I'm using this proxy in front of an API Gateway with IAM authorization which proxies to Nginx and finally to an EKS cluster. Kubectl only will send its bearer token (using the Authorization) header if the connection to the server is using TLS and I'd rather not add yet another proxy in front of this one to terminate TLS.

Would you be open to adding optional TLS support? I have it working locally and I was thinking about these flags:

+	enableTLS              = kingpin.Flag("enable-tls", "Enable TLS").Default("false").Bool()
+	tlsCertFile            = kingpin.Flag("tls-cert-file", "TLS certificate file path").String()
+	tlsKeyFile             = kingpin.Flag("tls-key-file", "TLS key file path").String()

If so, I'd be happy to create a PR to support this.

Answer 1 · 2023-11-24T19:14:08.000Z

Sounds a nice feature to have you have it already working ?

Answer 2 · 2023-11-25T14:53:16.000Z

@allamand yeah, I can add a PR if there's interest.

Answer 3 · 2023-11-26T08:54:36.000Z

That would be nice, I’ll love to see if that can fit my use case

Answer 4 · 2023-12-07T21:11:36.000Z

@allamand sorry for the delay. Please see #179.

Answer 5 · 2024-01-08T16:43:22.000Z

@chadbean thanks. do you have sample configuring the tls ?

Answer 6 · 2024-01-16T23:00:57.000Z

@allamand it could be used like this, for example:

docker run --rm -ti \                                    
    -v ~/.aws:/root/.aws \
    -v /path/to/your/certs/server.crt:/etc/ssl/certs/server.crt \
    -v /path/to/your/certs/server.key:/etc/ssl/certs/server.key \
    -p 8080:8080 \
    -e 'AWS_SDK_LOAD_CONFIG=true' \
    -e 'AWS_PROFILE=<your profile name>' \
    public.ecr.aws/aws-observability/aws-sigv4-proxy:1.7 \
    --enable-tls \
    --tls-cert-file=/etc/ssl/certs/server.crt \
    --tls-key-file=/etc/ssl/certs/server.key \
    --name execute-api --region <aws region> \
    --host <redacted>.execute-api.<aws region>.amazonaws.com

Note the new --enable-tls, --tls-cert-file, and --tls-key-file args as well as mounting the volumes with the cert and key from your local host to the container. Of course the image (public.ecr.aws/aws-observability/aws-sigv4-proxy:1.7) above doesn't work as it needs a custom build from the branch in PR #179 as well.

The certs can be self-signed certs. I tested with a key/pair generated with openssl and signed with my own CA.

Answer 7 · 2024-02-22T10:04:10.000Z

@allamand any updates on this ?

Answer 8 · 2024-02-22T20:10:07.000Z

Yes I didn’t managed to make it work in my use case, Ideally I would not want to terminate tos on the proxy so not sure why I need to pass some certificate here ?

Answer 9 · 2024-02-23T17:25:04.000Z

@allamand you can skip the TLS flags if you don't need TLS support. It was just added for my use-case because I was proxying EKS and kubectl won't send the Authorization header to the proxy if it's not a TLS connection.

Answer 10 · 2024-03-06T21:42:14.000Z

ok thanks this is working