TLS instructions/help
beardedeagle opened this issue · 7 comments
I'm replacing my version of epmdless I got from the erlang solutions post with this library and I'd like to use TLS, however I'm not entirely sure where I would begin there. Via you're instructions:
{epmdless, [
{transport, tls},
{listen_port, 17012},
{ssl_dist_opt, [
{client, [ssl:ssl_option()]},
{server, [ssl:ssl_option()]}
]}
]}
I put this in my config.exs:
...
config :epmdless,
transport: :tls,
listen_port: 17_012,
ssl_dist_opt: [
client: [""],
server: [""]
]
...
And that generates correctly during builds:
...
{epmdless,
[{transport,tls},
{listen_port,17012},
{ssl_dist_opt,[{client,[<<>>]},{server,[<<>>]}]}]},
...
But I'm unsure where I set up TLS for this. is it in the client and server sections of the config, or is it separate? I assume what's being looked for here is something like the following:
SSL_DIST_OPT="server_certfile erl-dist.pem client_certfile erl-dist.pem \
server_keyfile erl-dist.key client_keyfile erl-dist.key \
server_cacertfile ca.pem client_cacertfile ca.pem \
server_verify verify_peer client_verify verify_peer \
server_fail_if_no_peer_cert true"
But again, I'm not sure where to put this if this is what is needed. Any chance you could shed some light on this? Any and all assistance would be greatly appreciated. Thank you in advance.
@beardedeagle Thanks for the request. I will send the instructions soon.
@beardedeagle Our production config looks like this:
{ epmdless, [
{transport, tls},
{listen_port, 17012},
{ssl_dist_opt, [
{server, [
{cacertfile, "certs/app.crt"},
{certfile, "certs/client.crt"},
{keyfile, "certs/client.key"},
{verify, verify_peer}
]},
{client, [
{cacertfile, "certs/app.crt"},
{certfile, "certs/client.crt"},
{keyfile, "certs/client.key"},
{verify, verify_peer}
]}
]}
]
I think this can be translated into something like this with Elixir:
config :epmdless,
transport: :tls,
listen_port: 17_012,
ssl_dist_opt: [
client: [
cacertfile: "certs/app.crt",
certfile: "certs/client.crt",
keyfile: "certs/client.key",
verify: verify_peer
],
server: [
cacertfile: "certs/app.crt",
certfile: "certs/client.crt",
keyfile: "certs/client.key",
verify: verify_peer
]
]```
@beardedeagle Also I have found a bug in tls backend. #12 will address the issue.
For now please test the related branch :(.
Just in case I am using the following snippet to generate self signed SSL certificates: https://github.com/oltarasenko/exgraylog/blob/master/Makefile#L26
@beardedeagle
Ok, I have merged the PR above. And also published the related package to hex. Also as well as the question has appeared I have made a small sample repository to show how to setup epmdless with Elixir and TLS support: https://github.com/oltarasenko/epmdless-elixir-example
Hopefully, it could help you!
@beardedeagle I have decided to keep it open for now. In case you have some additional questions regarding it. Will close the issue by the end of the week if new questions will not appear.
I'm wondering if it would make sense to have epmdless_dist:add_node/2 to have a default for port number as this would make it compatible with other clustering libraries in elixir land.
@beardedeagle I am not sure about it. Let me think a bit. Technically it's easy to do, but...
In general, EPMDLess is used in the cases when we define each node port manually. Every node has own different port in our setup. I just wonder if the default port will give anything to us, as it looks like you will have to specify a port each time?
What do you think?