Add ability to disable mTLS #181
Conversation
There was a problem hiding this comment.
Sorry for the late review.
Has this been tested? I don't see how it would work as is. The vehicle connection handler uses the TLS cert to identify a device. With this change, wouldn't that be unavailable?
Reviewing this from a code perspective... will need opinion for @sethterashima for security.
| @@ -71,5 +71,8 @@ func startServer(config *config.Config, airbrakeNotifier *gobrake.Notifier, logg | |||
| if server.TLSConfig, err = config.ExtractServiceTLSConfig(logger); err != nil { | |||
| return err | |||
| } | |||
| if config.DisableTLS { | |||
There was a problem hiding this comment.
Move this up, no point in extracting TLSConfig if not going to use it.
| @@ -272,3 +272,4 @@ Moreover, the following application-specific considerations apply: | |||
| the frequency they need. | |||
| * Providers agree to take full responsibility for privacy risks, as soon as data | |||
| leave the devices (for more info read our privacy policies). | |||
| * If (and only if!) your're running your Fleet Telemetry instance behind a trusted proxy which takes care of mTLS handling, set ```"disable_tls"``` to ```true``` in the config. | |||
There was a problem hiding this comment.
which takes care of mTLS handling => which handles mTLS
| return nil, errors.New("tls config is empty - telemetry server is mTLS only, make sure to provide certificates in the config") | ||
| } | ||
|
|
||
| if c.DisableTLS { |
There was a problem hiding this comment.
Don't enter this code path at all if TLS disabled?
| @@ -0,0 +1,30 @@ | |||
| { | |||
There was a problem hiding this comment.
imo no need for this example file since disable_tls is the only option that has changed from the base example.
| @@ -111,9 +111,13 @@ func serveHTTPWithLogs(h http.Handler, logger *logrus.Logger) http.Handler { | |||
| } | |||
|
|
|||
| // Status API shows server with mtls config is up | |||
There was a problem hiding this comment.
comment incorrect now
Description
This PR adds support for disabling mTLS/TLS. This allows for running fleet telemetry behind a trusted proxy in a secure network which takes care of mTLS handling. mTLS can be disabled in the config by setting
disable_tlstotrue. By default, this value is not set (= false), resulting in the same behaviour as before and ensuring a secure configuration.Fixes #171
Type of change
Please select all options that apply to this change:
Checklist:
Confirm you have completed the following steps: