You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
TLS was brought up multiple times while discussing issue 2188 in today's ENF Engineering meeting.
Currently, nodeos does not support any kind of encryption between itself and an API client or reverse-proxy. A service provider would deploy nodeos behind a reverse-proxy, where the reverse-proxy performs TLS termination for API clients. Traffic between the reverse-proxy and nodeos flows unencrypted, leaving it vulnerable to attacks in the event the service provider operates in a shared environment or their network is compromised.
The industry-standard solution is to use a service mesh to encrypt intra-datacenter communication using mTLS. Mutual TLS provides the added benefit of authenticating the reverse-proxy accessing nodeos. Other suggested workarounds included tunneling this traffic through a VPN or SSH.
Another suggestion still was to directly support an Internet-facing API in Leap using a tool like Mongoose.
This ticket tracks mTLS 1.3 support until that design decision is made, and in the event HTTPS support is added to Leap.
The text was updated successfully, but these errors were encountered:
TLS was brought up multiple times while discussing issue 2188 in today's ENF Engineering meeting.
Currently,
nodeos
does not support any kind of encryption between itself and an API client or reverse-proxy. A service provider would deploynodeos
behind a reverse-proxy, where the reverse-proxy performs TLS termination for API clients. Traffic between the reverse-proxy andnodeos
flows unencrypted, leaving it vulnerable to attacks in the event the service provider operates in a shared environment or their network is compromised.The industry-standard solution is to use a service mesh to encrypt intra-datacenter communication using mTLS. Mutual TLS provides the added benefit of authenticating the reverse-proxy accessing
nodeos
. Other suggested workarounds included tunneling this traffic through a VPN or SSH.Another suggestion still was to directly support an Internet-facing API in Leap using a tool like Mongoose.
This ticket tracks mTLS 1.3 support until that design decision is made, and in the event HTTPS support is added to Leap.
The text was updated successfully, but these errors were encountered: