Add a chapter to the tutorial explaining HTTPS and mTLS configuration
This commit is contained in:
Héctor Hurtado
@@ -9,3 +9,4 @@
|
|||||||
tutorial03
|
tutorial03
|
||||||
tutorial04
|
tutorial04
|
||||||
tutorial05
|
tutorial05
|
||||||
|
tutorial06
|
||||||
|
|||||||
@@ -0,0 +1,85 @@
|
|||||||
|
Securing the server
|
||||||
|
===================
|
||||||
|
|
||||||
|
**Senior**
|
||||||
|
|
||||||
|
Hi... I hope you rested last night!
|
||||||
|
|
||||||
|
Come on, I need your help here!
|
||||||
|
|
||||||
|
**Junior**
|
||||||
|
|
||||||
|
Good morning! What's the matter? Sounds worrying
|
||||||
|
|
||||||
|
**Senior**
|
||||||
|
|
||||||
|
We forgot to take the most basic security measures when deploying our services.
|
||||||
|
Every body at the company can access the services and the information is
|
||||||
|
transferred in clear text.
|
||||||
|
|
||||||
|
**Junior**
|
||||||
|
|
||||||
|
Oh! Damn, you're right! You think we can do anything to solve this mess?
|
||||||
|
|
||||||
|
**Senior**
|
||||||
|
|
||||||
|
Yes, I'm pretty sure that those smart guys have thought on that when building
|
||||||
|
Kapow! Have a look at the `documentation </examples/https_mtls>`_.
|
||||||
|
|
||||||
|
**Junior**
|
||||||
|
|
||||||
|
Got it! They did it, here're the instictions to start a server with HTTPS support.
|
||||||
|
|
||||||
|
It's amazing! It says we can even use mTLS to control access, really promising.
|
||||||
|
|
||||||
|
**Senior**
|
||||||
|
|
||||||
|
Ok, ok... First thigs first. We need to get a server certificate to start
|
||||||
|
working with HTTPS. Fortunately we can ask for one to the CA we use for the
|
||||||
|
other servers. Let's pick up one for development, they're quick to get.
|
||||||
|
|
||||||
|
**Junior**
|
||||||
|
|
||||||
|
Yeah! I'll change the startup script to configure HTTPS:
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ kapow server --keyfile /etc/kapow/tls/keyfile --certfile /etc/kapow/tls/certfile /etc/kapow/awesome.pow
|
||||||
|
|
||||||
|
It's easy, please copy the private key file and certificate chain to `/etc/kapow/tls` and we can restart.
|
||||||
|
|
||||||
|
**Senior**
|
||||||
|
|
||||||
|
Great! it's working, communications are secured. Let's say everybody to change
|
||||||
|
from http to https.
|
||||||
|
|
||||||
|
**Junior**
|
||||||
|
|
||||||
|
Ok, did it. What are the steps to follow to limit access by using mTLS?
|
||||||
|
|
||||||
|
**Senior**
|
||||||
|
|
||||||
|
Besides configuring the server we need to provide the users with their own
|
||||||
|
client certificates and private keys so they can configure their browsers and
|
||||||
|
the application server.
|
||||||
|
|
||||||
|
**Junior**
|
||||||
|
|
||||||
|
Yes, please give me the CA certificate that will issue our client certificates
|
||||||
|
and I'll change the startup script again
|
||||||
|
|
||||||
|
.. code-block:: console
|
||||||
|
|
||||||
|
$ kapow server --keyfile /etc/kapow/tls/keyfile --certfile /etc/kapow/tls/certfile --clientauth=true --clientcafile /etc/kapow/tls/clientCAfile /etc/kapow/awesome.pow
|
||||||
|
|
||||||
|
Done!
|
||||||
|
|
||||||
|
**Senior**
|
||||||
|
|
||||||
|
Ok, let's communicate the changes to all the affected teams before we restart
|
||||||
|
|
||||||
|
**Junior**
|
||||||
|
|
||||||
|
Oh God, After all we're starting to look like Google
|
||||||
|
|
||||||
|
(chuckles)
|
||||||
Reference in New Issue
Block a user