search

grepplabs / kafka-proxy

Proxy connections to Kafka cluster. Connect through SOCKS Proxy, HTTP Proxy or to cluster running in Kubernetes.
Apache License 2.0
501 stars 87 forks source link

QUESTION: does tls_enable turn on TLS for client side, server side, or both? #19

Closed JLofgren closed 6 years ago

JLofgren commented 6 years ago

I have not experimented yet, but would like to know - does the tls_enable flag turn on TLS for connections from kafka-proxy to the kafka brokers? Or from clients to kafka-proxy? Or both?

If both, how would you configure different certificates for each side of the connection?

If only one of the above, are there plans to enable TLS for the other side?

everesio commented 6 years ago

tls-enable flag turn on TLS for connections from kafka-proxy to the kafka brokers To terminated TLS on the proxy use the proxy-listener-tls-enable. You can of course combine theses options.

Config examples: 1) proxy client side TLS with an encrypted client certificate

--tls-enable
--tls-ca-chain-cert-file=ca-chain.cert.pem
--tls-client-cert-file=client.cert.pem
--tls-client-key-file=client.key.pem
--tls-client-key-password=$(TLS_CLIENT_KEY_PASSWORD)

2) proxy server side TLS

--proxy-listener-tls-enable
--proxy-listener-cert-file=server.cert.pem
--proxy-listener-key-file=server.key.pem
--proxy-listener-key-password=$(TLS_SERVER_KEY_PASSWORD)
JLofgren commented 6 years ago

Ah, great! I didn't see the proxy-listener tls options. Thanks!