mTLS support and grpc-cache

Question

mTLS support and grpc-cache

tomberek opened this issue 5 years ago · 5 comments

I've created a "grpc-cache" tool using mwitkow's code as a base, but having it be part of this ecosystem would be better. I'd like to add it, but I'm not seeing a way to support mTLS. It seems that this is the right place to add a third alternative. Am i reading this right?

Answer 1 · 2020-01-12T14:47:39.000Z

Hey, I've not used gRPC with mutual TLS before. How would an intercepting proxy work in this case?

I'm assuming there's two parts: you need to add a client certificate (https://godoc.org/google.golang.org/grpc/credentials#NewClientTLSFromCert) to the connection made to the destination server and optionally do some validation of the client certificate on intercepted connections?
Obviously there's no way to proxy the client certificate so you'd need to pass this as a flag to grpc-proxy

Answer 2 · 2020-01-12T15:46:21.000Z

It would have to have certs available for both sides of the connection. There are many combinations of possibilities, but I think that is the simplest.

Here's my initial attempt, it assumes that the client cert has a localhost (or other relevant) SAN. It forces the user to change their code/settings. It does not respect http_proxy/all_proxy. My next effort was to try to use the grpc-proxy interface.

https://gist.github.com/tomberek/e86ba3937ed15f919b12d4cc30710f1b

Answer 3 · 2020-01-13T16:39:14.000Z

Ok, so you can already make grpc-proxy use your custom transport credentials using grpc_proxy.WithOptions(grpc.WithTransportCredentials(ta)) which solves the one half of validating the intercepted client's certificate.

Then I think we'd just need to add a new option to allow you choose a certificate to present to the downstream destination server?

Answer 4 · 2020-01-13T21:41:53.000Z

Correct. Then I’d add a caching layer (middleware?) and generic key-value (gokv is nice).

Answer 5 · 2020-01-14T21:59:23.000Z

@tomberek I've added a WithDialOptions option. I think this is all you need to pass to grpc_proxy.New:

WithServerOptions(grpc.Creds(ta)) to validate client certificates
WithDialOptions(grpc.WithTransportCredentials(ta) to present a client certificate to the downstream destination

Let me know if you run into any other obstacles! Excited to see what you can build on top of grpc-proxy 🙂