-
Notifications
You must be signed in to change notification settings - Fork 28
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add a chapter to the tutorial explaining HTTPS and mTLS configuration
- Loading branch information
Héctor Hurtado
committed
Aug 18, 2020
1 parent
d0e0881
commit 3ba3df6
Showing
2 changed files
with
86 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -9,3 +9,4 @@ | |
| tutorial03 | ||
| tutorial04 | ||
| tutorial05 | ||
| tutorial06 | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,85 @@ | ||
| Securing the server | ||
| =================== | ||
|
|
||
| **Senior** | ||
|
|
||
| Hi... I hope you rested last night! | ||
|
|
||
| Come on, I need your help here! | ||
|
|
||
| **Junior** | ||
|
|
||
| Good morning! What's the matter? Sounds worrying | ||
|
|
||
| **Senior** | ||
|
|
||
| We forgot to take the most basic security measures when deploying our services. | ||
| Every body at the company can access the services and the information is | ||
| transferred in clear text. | ||
|
|
||
| **Junior** | ||
|
|
||
| Oh! Damn, you're right! You think we can do anything to solve this mess? | ||
|
|
||
| **Senior** | ||
|
|
||
| Yes, I'm pretty sure that those smart guys have thought on that when building | ||
| Kapow! Have a look at the `documentation </examples/https_mtls>`_. | ||
|
|
||
| **Junior** | ||
|
|
||
| Got it! They did it, here're the instictions to start a server with HTTPS support. | ||
|
|
||
| It's amazing! It says we can even use mTLS to control access, really promising. | ||
|
|
||
| **Senior** | ||
|
|
||
| Ok, ok... First thigs first. We need to get a server certificate to start | ||
| working with HTTPS. Fortunately we can ask for one to the CA we use for the | ||
| other servers. Let's pick up one for development, they're quick to get. | ||
|
|
||
| **Junior** | ||
|
|
||
| Yeah! I'll change the startup script to configure HTTPS: | ||
|
|
||
| .. code-block:: console | ||
| $ kapow server --keyfile /etc/kapow/tls/keyfile --certfile /etc/kapow/tls/certfile /etc/kapow/awesome.pow | ||
| It's easy, please copy the private key file and certificate chain to `/etc/kapow/tls` and we can restart. | ||
|
|
||
| **Senior** | ||
|
|
||
| Great! it's working, communications are secured. Let's say everybody to change | ||
| from http to https. | ||
|
|
||
| **Junior** | ||
|
|
||
| Ok, did it. What are the steps to follow to limit access by using mTLS? | ||
|
|
||
| **Senior** | ||
|
|
||
| Besides configuring the server we need to provide the users with their own | ||
| client certificates and private keys so they can configure their browsers and | ||
| the application server. | ||
|
|
||
| **Junior** | ||
|
|
||
| Yes, please give me the CA certificate that will issue our client certificates | ||
| and I'll change the startup script again | ||
|
|
||
| .. code-block:: console | ||
| $ kapow server --keyfile /etc/kapow/tls/keyfile --certfile /etc/kapow/tls/certfile --clientauth=true --clientcafile /etc/kapow/tls/clientCAfile /etc/kapow/awesome.pow | ||
| Done! | ||
|
|
||
| **Senior** | ||
|
|
||
| Ok, let's communicate the changes to all the affected teams before we restart | ||
|
|
||
| **Junior** | ||
|
|
||
| Oh God, After all we're starting to look like Google | ||
|
|
||
| (chuckles) |