Closed dlecocq closed 10 years ago
b4hand
commented
10 years ago It may also be useful to warn if AUTH is provided but TLS not requested. It may technically be allowed by the protocol, but in this day and age, it's probably better to just disallow it.
jehiah
commented
10 years ago Auth as a protocol on the nsqd side is pretty flexible. It doesn't describe what fields are used for the auth decision, but exposes ip/port, auth_secret and the tls state to an authentication daemon for that decision.
@b4hand I know of existing work to implement auth using ident (to map a remote connection to a user) and I've used it for ip based ACL. In those cases it makes sense to allow auth regardless of TLS state. (nsqd does require an auth_secret, but i've just used . to trigger the auth).
warning on auth without TLS seems useful though
This is not yet detailed in the TCP spec, but
pynsq's implementation was used as a reference.