Add a chapter to the tutorial explaining HTTPS and mTLS configuration
This commit is contained in:
Héctor Hurtado
@@ -9,3 +9,4 @@
|
||||
tutorial03
|
||||
tutorial04
|
||||
tutorial05
|
||||
tutorial06
|
||||
|
||||
@@ -0,0 +1,85 @@
|
||||
Securing the server
|
||||
===================
|
||||
|
||||
**Senior**
|
||||
|
||||
Hi... I hope you rested last night!
|
||||
|
||||
Come on, I need your help here!
|
||||
|
||||
**Junior**
|
||||
|
||||
Good morning! What's the matter? Sounds worrying
|
||||
|
||||
**Senior**
|
||||
|
||||
We forgot to take the most basic security measures when deploying our services.
|
||||
Every body at the company can access the services and the information is
|
||||
transferred in clear text.
|
||||
|
||||
**Junior**
|
||||
|
||||
Oh! Damn, you're right! You think we can do anything to solve this mess?
|
||||
|
||||
**Senior**
|
||||
|
||||
Yes, I'm pretty sure that those smart guys have thought on that when building
|
||||
Kapow! Have a look at the `documentation </examples/https_mtls>`_.
|
||||
|
||||
**Junior**
|
||||
|
||||
Got it! They did it, here're the instictions to start a server with HTTPS support.
|
||||
|
||||
It's amazing! It says we can even use mTLS to control access, really promising.
|
||||
|
||||
**Senior**
|
||||
|
||||
Ok, ok... First thigs first. We need to get a server certificate to start
|
||||
working with HTTPS. Fortunately we can ask for one to the CA we use for the
|
||||
other servers. Let's pick up one for development, they're quick to get.
|
||||
|
||||
**Junior**
|
||||
|
||||
Yeah! I'll change the startup script to configure HTTPS:
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ kapow server --keyfile /etc/kapow/tls/keyfile --certfile /etc/kapow/tls/certfile /etc/kapow/awesome.pow
|
||||
|
||||
It's easy, please copy the private key file and certificate chain to `/etc/kapow/tls` and we can restart.
|
||||
|
||||
**Senior**
|
||||
|
||||
Great! it's working, communications are secured. Let's say everybody to change
|
||||
from http to https.
|
||||
|
||||
**Junior**
|
||||
|
||||
Ok, did it. What are the steps to follow to limit access by using mTLS?
|
||||
|
||||
**Senior**
|
||||
|
||||
Besides configuring the server we need to provide the users with their own
|
||||
client certificates and private keys so they can configure their browsers and
|
||||
the application server.
|
||||
|
||||
**Junior**
|
||||
|
||||
Yes, please give me the CA certificate that will issue our client certificates
|
||||
and I'll change the startup script again
|
||||
|
||||
.. code-block:: console
|
||||
|
||||
$ kapow server --keyfile /etc/kapow/tls/keyfile --certfile /etc/kapow/tls/certfile --clientauth=true --clientcafile /etc/kapow/tls/clientCAfile /etc/kapow/awesome.pow
|
||||
|
||||
Done!
|
||||
|
||||
**Senior**
|
||||
|
||||
Ok, let's communicate the changes to all the affected teams before we restart
|
||||
|
||||
**Junior**
|
||||
|
||||
Oh God, After all we're starting to look like Google
|
||||
|
||||
(chuckles)
|
||||
Reference in New Issue
Block a user