search

contribsys / faktory

Language-agnostic persistent background job server
https://contribsys.com/faktory/
Other
5.78k stars 230 forks source link

Add direct TLS support #469

Closed mperham closed 6 months ago

mperham commented 9 months ago

TLS is too hard to setup currently and the docs are broken.

Plan

  1. Faktory will look for /etc/faktory/conf.d/private.key and /etc/faktory/conf.d/public.crt and, if found, activate TLS. Users should create soft links from wherever TLS certs are stored into Faktory's config directory.
  2. Certificates should be reloaded upon HUP and the server socket reopened so new connections will use the new TLS certs. Existing connections will continue to run with their existing TLS session. As workers are restarted, those old connections will go away.
mperham commented 9 months ago 
    err := http.ListenAndServeTLS(":443", "public.crt", "private.key", nil)

These two files must be an X509 pair and are processed by https://pkg.go.dev/crypto/tls#LoadX509KeyPair.

mperham commented 9 months ago

Keep in mind if this doesn't work for you, there's a million other ways to add TLS "in front of" Faktory. HAProxy, stunnel, or any number of other proxies can provide public TLS and forward unencrypted traffic to Faktory privately.