From b1155ed119f44cd82e7171756aeeeb64e939ae9c Mon Sep 17 00:00:00 2001 From: scottf Date: Tue, 25 Jun 2024 10:00:30 -0400 Subject: [PATCH 1/3] Document connecting to a reverse proxy --- src/NATS.sln | 3 -- src/Samples/README.md | 4 +- .../CustomTCPConnection.cs | 33 ------------ .../TLSReverseProxyExample.cs | 52 ------------------- .../TLSReverseProxyExample.csproj | 19 ------- src/Samples/TlsVariationsExample/README.md | 36 +++++++++++++ 6 files changed, 38 insertions(+), 109 deletions(-) delete mode 100644 src/Samples/TLSReverseProxyExample/CustomTCPConnection.cs delete mode 100644 src/Samples/TLSReverseProxyExample/TLSReverseProxyExample.cs delete mode 100644 src/Samples/TLSReverseProxyExample/TLSReverseProxyExample.csproj create mode 100644 src/Samples/TlsVariationsExample/README.md diff --git a/src/NATS.sln b/src/NATS.sln index a444daec9..a22a013f7 100644 --- a/src/NATS.sln +++ b/src/NATS.sln @@ -117,8 +117,6 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "JetStreamPushSubscribeAsync EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SimplificationQueue", "Samples\SimplificationQueue\SimplificationQueue.csproj", "{F8609197-D5B0-42CC-890E-921CAAA1589E}" EndProject -Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "TLSReverseProxyExample", "Samples\TLSReverseProxyExample\TLSReverseProxyExample.csproj", "{98C52074-7693-48D4-B0A9-48920EEEDA24}" -EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "ChaosTestApp", "Samples\ChaosTestApp\ChaosTestApp.csproj", "{649DEBB2-E0AC-47ED-AA39-B119F512C204}" EndProject Global @@ -385,7 +383,6 @@ Global {C7FB00D4-23F1-4F6A-A8C0-E58346F272DE} = {776C2E80-958B-4C0D-BCC4-67D39DB4570B} {5DCD0666-5AC9-462F-99BD-5E8E95E4B749} = {776C2E80-958B-4C0D-BCC4-67D39DB4570B} {F8609197-D5B0-42CC-890E-921CAAA1589E} = {776C2E80-958B-4C0D-BCC4-67D39DB4570B} - {98C52074-7693-48D4-B0A9-48920EEEDA24} = {776C2E80-958B-4C0D-BCC4-67D39DB4570B} {649DEBB2-E0AC-47ED-AA39-B119F512C204} = {776C2E80-958B-4C0D-BCC4-67D39DB4570B} EndGlobalSection GlobalSection(ExtensibilityGlobals) = postSolution diff --git a/src/Samples/README.md b/src/Samples/README.md index 48c6a03b1..cc13a9975 100644 --- a/src/Samples/README.md +++ b/src/Samples/README.md @@ -12,8 +12,8 @@ This folder contains a number of samples: 1. `Replier` - A sample replier for the Requestor application. 1. `RxSample` - Rx integration / functionality 1. `Subscribe` - A sample subscriber. -1. `WinFormsSample` -1. `TlsVariationsExample` +1. `WinFormsSample` - Use the client within a Windows application. +1. `TlsVariationsExample` - Some examples setting up the client for TLS 1. `JetStreamStarter` - A starter app for JetStream projects. ### Simplification diff --git a/src/Samples/TLSReverseProxyExample/CustomTCPConnection.cs b/src/Samples/TLSReverseProxyExample/CustomTCPConnection.cs deleted file mode 100644 index 5c4464cc5..000000000 --- a/src/Samples/TLSReverseProxyExample/CustomTCPConnection.cs +++ /dev/null @@ -1,33 +0,0 @@ -using NATS.Client; -using System; -using System.Collections.Generic; -using System.IO; -using System.Net.Security; -using System.Net.Sockets; -using System.Runtime.InteropServices.ComTypes; -using System.Security.Authentication; -using System.Security.Cryptography.X509Certificates; -using static NATS.Client.Defaults; - - -namespace NATSExamples -{ - - - /// - /// Convenience class representing the TCP connection to prevent - /// managing two variables throughout the NATs client code. - /// - /// This "Custom" implementation just makes the connection TLS after opening it. - /// - public class CustomTCPConnection : Connection.TCPConnection - { - - public override void open(Srv s, Options options) - { - base.open(s, options); - base.makeTLS(); - } - } - } - diff --git a/src/Samples/TLSReverseProxyExample/TLSReverseProxyExample.cs b/src/Samples/TLSReverseProxyExample/TLSReverseProxyExample.cs deleted file mode 100644 index ccb6cb495..000000000 --- a/src/Samples/TLSReverseProxyExample/TLSReverseProxyExample.cs +++ /dev/null @@ -1,52 +0,0 @@ -using NATS.Client; -using System; -using System.Net.Security; -using System.Security.Cryptography.X509Certificates; - -namespace NATSExamples -{ - /// - /// This example shows how to use a TLS-Terminating proxy with the NATs .NET client - /// - /// This example is not production hardened - /// - /// You can create a TLS Terminating proxy using Stunnel. - /// - /// - internal static class TlsVariationsExample - { - // 8444 is a port where the Terminating Proxy is listening - static readonly string Url = "nats://192.168.1.108:8444"; - // This is unsafe and assumes all certificates are good. - private static bool verifyServerCert(object sender, - X509Certificate certificate, X509Chain chain, - SslPolicyErrors sslPolicyErrors) - { - return true; - - } - - public static void Main(string[] args) - { - - var opts = ConnectionFactory.GetDefaultOptions(); - opts.Url = Url; - opts.TLSRemoteCertificationValidationCallback = verifyServerCert; - opts.TCPConnection = new CustomTCPConnection(); - - try - { - using (IConnection c = new ConnectionFactory().CreateConnection(opts)) - { - - } - } - catch (Exception ex) - { - Console.Error.WriteLine(ex); - } - } - } -} - - diff --git a/src/Samples/TLSReverseProxyExample/TLSReverseProxyExample.csproj b/src/Samples/TLSReverseProxyExample/TLSReverseProxyExample.csproj deleted file mode 100644 index ab7deff12..000000000 --- a/src/Samples/TLSReverseProxyExample/TLSReverseProxyExample.csproj +++ /dev/null @@ -1,19 +0,0 @@ - - - - Exe - NATS TLS Terminating Proxy Example - NATS TLS Terminating Proxy Example - false - NATSExamples - - - - - - - - $(NoWarn);NU1701 - - - diff --git a/src/Samples/TlsVariationsExample/README.md b/src/Samples/TlsVariationsExample/README.md new file mode 100644 index 000000000..34b8b08cc --- /dev/null +++ b/src/Samples/TlsVariationsExample/README.md @@ -0,0 +1,36 @@ +![NATS](https://raw.githubusercontent.com/nats-io/nats.net/main/documentation/large-logo.png) + +# TLS Variations + +This project is simply some example code to jump start setting up TLS in the client. +There are also unit tests and corresponding configuration files which may be of use. + +## Using a Reverse Proxy + +In a reverse proxy configuration, the client connects securely to the reverse proxy +and the proxy may connect securely or insecurely to the server. + +If the proxy connects securely to the server, +then there is nothing special required to do at all. + +But most commonly, the proxy connects insecurely to the server. +This is where server configuration comes into play. +You will need to configure the server like so: + +``` +tls {} +allow_non_tls: true +``` + +Before this, the reason that the client would not connect is +because the server was not requiring tls for the proxy, +but the client was configured as secure because it was connecting securely to the proxy. +The client thought that this was a mismatch and would not connect, +essentially failing fast instead of waiting for the server to reject the connection attempt. + +The latest version of the client is able recognize this server configuration +and understands that it's okay to connect securely to the proxy regardless of the +server configuration. + +You just have to make sure you can properly connect securely to the proxy +and that's where the code in this sample comes in. \ No newline at end of file From ca9022bf58f04fd2a800eea94d1a7d2ba13ecc6f Mon Sep 17 00:00:00 2001 From: scottf Date: Tue, 25 Jun 2024 10:04:56 -0400 Subject: [PATCH 2/3] Document connecting to a reverse proxy --- src/Samples/TlsVariationsExample/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Samples/TlsVariationsExample/README.md b/src/Samples/TlsVariationsExample/README.md index 34b8b08cc..b1f6a0169 100644 --- a/src/Samples/TlsVariationsExample/README.md +++ b/src/Samples/TlsVariationsExample/README.md @@ -28,7 +28,7 @@ but the client was configured as secure because it was connecting securely to th The client thought that this was a mismatch and would not connect, essentially failing fast instead of waiting for the server to reject the connection attempt. -The latest version of the client is able recognize this server configuration +The latest version of the client is able to recognize this server configuration and understands that it's okay to connect securely to the proxy regardless of the server configuration. From 6dbe199645cf915f5dc78836e43f14e3ee2cc5ed Mon Sep 17 00:00:00 2001 From: scottf Date: Tue, 25 Jun 2024 10:05:34 -0400 Subject: [PATCH 3/3] Document connecting to a reverse proxy --- src/Samples/TlsVariationsExample/README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/Samples/TlsVariationsExample/README.md b/src/Samples/TlsVariationsExample/README.md index b1f6a0169..eb7aa12e0 100644 --- a/src/Samples/TlsVariationsExample/README.md +++ b/src/Samples/TlsVariationsExample/README.md @@ -22,7 +22,7 @@ tls {} allow_non_tls: true ``` -Before this, the reason that the client would not connect is +Before this, the client would not connect because the server was not requiring tls for the proxy, but the client was configured as secure because it was connecting securely to the proxy. The client thought that this was a mismatch and would not connect,