Add protocol info to backends

sozu-proxy / sozu

Sōzu HTTP reverse proxy, configurable at runtime, fast and safe, built in Rust. It is awesome!

https://www.sozu.io/

GNU Affero General Public License v3.0

3.03k stars 187 forks source link

Add protocol info to backends #258

Open Geal opened 7 years ago

Geal commented 7 years ago

Right now, connections to backends are done in plain TCP. We should support connecting to backends in TLS.

Issues that can appear:

certificate validation: do we use a certificate store? Do we pin a public key for the backend? (probably have to support both)
for HTTP/2, we might need to connect to backends in TLS (if we do end to end HTTP/2 #99 )
do we force TLS only connection to a backend?
do we support connecting to a backend listening on a unix socket? (#152)

HTTP/2 might need more info, like "this backend server can use TLS but does not support HTTP/2".

It might be useful to pass this info in configuration at the app level, not at the backend level, to make sure all backends behave in the same way. But that could mean we have an application with plaintext HTTP on the frontend, and HTTPS on the backend?

shirshak55 commented 4 years ago

Regarding http2 I think the best solution is to reuse code and idea from hyper crate?

Geal commented 4 years ago

hyper uses the h2 crate, and that crate relies heavily on futures and tokio. As sozu uses its own event loop based on mio, it would not be compatible

dlecan commented 3 years ago

We are in 2021, can we expect secured connexions between Sozu and backend soon?

Geal commented 3 years ago

to be transparent, our focus (at @CleverCloud) for this has been instead on encrypting communications at a lower layer, through wireguard. It is less complex to distribute wireguard keys and set up networks, than setting up a PKI, distributing certificates and either installing them in a different way for each backend server, or adding another proxy for TLS termination near the backend.

The feature is not particularly hard to add though, creating a new type of socket for backends should make some easily self contained code. IIRC I had some code for that somewhere, I'll see if I can dig it out.

dlecan commented 3 years ago

our focus (at @CleverCloud) ... encrypting communications at a lower layer, through wireguard.

:clap: I'm a client :-) We shouldn't discuss this here, but, well, I don't know where to ask fo it :wink: Is encryption already available between your reverse-proxies and application backends?

Geal commented 3 years ago

you can ask on our support chat :smiley: It is not available yet, we're currently testing the wireguard deployment