-
Notifications
You must be signed in to change notification settings - Fork 1.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(cubejs-server): Integrated support for TLS #213
Conversation
@cubejs-backend/server listen supports receiving an option object. Given env CUBEJS_ENABLE_TLS=true, the CubejsServer will use the option object in order to setup https connection.
How can I update the docs? |
@philippefutureboy Hey Philippe! Thanks for contributing this! Could you please provide some code examples on how it can be used? There's GitHub edit link for each page in Docs BTW. You can use it to locate every page inside repository. Probably we need to make it a little bit bigger. |
@paveltiunov Sup :) So examples: /**
* Example 1: Certificate from filesystem (e.g. certbot)
* You could add a filesystem watch for the certificate folder and update the
* keys automatically based on change in files
* Assuming CUBEJS_ENABLE_TLS=true
*/
const fs = require("fs-extra");
const CubejsServer = require("@cubejs-backend/server");
const cubejsOptions = require("./cubejsOptions");
var tlsOptions = {
key: fs.readFileSync(process.env.CUBEJS_TLS_PRIVATE_KEY_FILE),
cert: fs.readFileSync(process.env.CUBEJS_TLS_PRIVATE_FULLCHAIN_FILE),
};
const cubejsServer = cubejsOptions
? new CubejsServer(cubejsOptions)
: new CubejsServer();
cubejsServer.listen(tlsOptions).then(({ tlsPort, server }) => {
console.log(`🚀 Cube.js server is listening securely on ${tlsPort}`);
}); /**
* Example 2: Self-signed, self-renewed certificate renewal
* Assuming CUBEJS_ENABLE_TLS=true
*/
const CubejsServer = require("@cubejs-backend/server");
const cubejsOptions = require("./cubejsOptions");
const {
createCertificate,
scheduleCertificateRenewal,
} = require("./certificate");
async function main() {
const cubejsServer = cubejsOptions
? new CubejsServer(cubejsOptions)
: new CubejsServer();
const certOptions = { days: 2, selfSigned: true };
const tlsOptions = await createCertificate(certOptions);
const ({ tlsPort, server }) = await cubejsServer.listen(tlsOptions);
console.log(`🚀 Cube.js server is listening securely on ${tlsPort}`);
scheduleCertificateRenewal(server, certOptions, (err, result) => {
if (err !== null) {
console.error(
`🚨 Certificate renewal failed with error "${error.message}"`
);
// take some action here to notify the DevOps
return;
}
console.log(`🔐 Certificate renewal successful`);
});
}
main(); As for the docs, I think it would be better if the And for the last bit, the |
@philippefutureboy Nice! Makes sense. Could you please share how this redirect to TLS port is used in your case? |
@paveltiunov Yes! It's simply standard practice when someone attempts to use a secured service through an insecure channel. Rather than denying the client, the client is redirected to the secure channel. Also, can you let me know how I update the docs as part of this PR? |
@philippefutureboy Ok. Sounds good. Docs can be updated here: https://github.com/cube-js/cube.js/tree/master/docs. Could you please elaborate how do you use |
@paveltiunov Nice, thanks for the info! As for the ./config/env, it is a copy of create-react-app's way of handling environment variables, and I have found it to be really valuable in every project that I have used it since it grants you the ability to run separate configs for each environments, and have separate files for secret overrides and env to be committed to version control. It is currently used in Cheers! |
@philippefutureboy Makes sense. Yeah. If it's not used let's remove it for now and we're good to merge. |
Updated documentation to reflect changes in API and introduction of TLS support.
@paveltiunov Should be good to go! Make sure to give a review to the docs. Now the quick question is when will this be published to the npm package? |
@philippefutureboy Thanks! We're going to ship this week or early next week. |
@cubejs-backend/server listen supports receiving an option object.
Given env CUBEJS_ENABLE_TLS=true, the CubejsServer will use the option object in order to setup https connection.
Upon resolution, the listen promise will provide an access to the server object (
http.Server
orhttps.Server
) for easy access would the user need to access it. For instance, the main reason for this PR is that I want to be able to use self-signed certificates for internal data transfers (from EC2 to EC2) and be able to swap them dynamically when they are about to expire usingtls.setSecureContext
).Check List