SSL Enablement

[buzzzo]

Hi

I've seen by default the web ui (8009 port) have not ssl enabled.
How to enable it ? or even more is it possible to put a reverse proxy in front of hoop gateway in order to terminate ssl on it ?

Thx

[sandromello]

Yes it's possible, we still lack any documentation about this at the moment.
Here's a nginx example configuration to proxy both protocols in the same port (HTTP and gRPC):

events {
    worker_connections  1024;
}

http {
    server {
        server_name your_public_hostname;
        listen 443 ssl;
        http2 on;
        ssl_certificate     /etc/certs/server.crt;
        ssl_certificate_key /etc/certs/server.key;

        location ~ ^/protobuf.+ {
                client_max_body_size 0;
                grpc_read_timeout 30s;
                grpc_send_timeout 30s;
                grpc_socket_keepalive on;
                grpc_pass grpc://127.0.0.1:8010;
                break;
        }

        location / {
            proxy_pass http://127.0.0.1:8009;
        }
    }
}

[buzzzo]

Thx

It works perfectly.
Just one question: it's expected that agent connections are already encrypted on port 8010.
By proxying it tru nginx does it add any performance penalty in the tunnelled connection as basically the data are encrypetd twice ?.

[sandromello]

Awesome!
The data is not encrypted on port 8010.

[buzzzo]

Awesome! The data is not encrypted on port 8010.

Just to understand, without nginx ssl termination when I'm publishing for example bash, does the traffic between the agent (server where bash is to be run) and gateway goes unencrypted ? and does the traffic goes tru port 8010 on the gateway ?

From the documentation "hoop Agent: A lightweight agent that runs in your infrastructure and executes the operations you request. hoop.dev’s agent is responsible for running the operations in your infrastructure through a secure gRPC tunnel with the hoop Gateway;"

So i've (maybe wrongly) assumed that "secure gRPC tunnel" occurs on port 8010 and it goes encrypted.

Thx

[sandromello]

Yes, it goes unencrypted. The traffic is only encrypted if you configure your clients to do:

• specifying grpcs://<your-loadbalancer-host>:<grpc-public-port> will always force any client (hoop connect or agent) to connect via TLS

You can advertise clients to always connect using a secure scheme by setting the env GRPC_URL in the gateway. When a user login or you create an agent key it will contain the public address of the grpc gateway.

If you're running the agent in a trusted network it shouldn't be a problem. However, if you're connecting agents over an untrusted networks, make sure to always connect it with TLS.

Regarding the traffic path, both clients connect on port 8010 and messages are exchanged over gRPC.

• When the execution is the REST API, a client connects via gRPC on localhost always without TLS.
• When the client is hoop connect: it uses the configuration of the client (grpc/grpcs)
• When the client is the agent: it uses the configuration of the client (grpc/grpcs)

[buzzzo]

Hi Sandro

So by default port 8010 remains unencrypted and the encryption layer it's a job for an external layer ( in our case nginx).
I'm using on the agent side the following:

grpc_url = "https://hoop.foobar.it:443", and i've seen on the config.toml i've also this: InsecureGRPC = false
Please note i've enforce on the gateway's side the grpc_url as per above.

So I assume agent traffic it's going encrypted.

So afaik to recap:

1. by default the grpc tunnel is NOT encrypted
2. the job of encrypts the grpc should be offloaded to an external entity (nginx here)
3. best practice is ALWAYS to encrypt grpc tunnels (port 8010 behind a reverse proxy)
4. point 3 is MANDATORY if I publish hoop gateway on the internet.

Thx for your support.

[sandromello]

Yes, your statements are accurate.

The InsecureGRPC option on toml has no effect, the logic to use TLS is based on the protocol scheme:

• grpc: connect on grpc port insecurely (non TLS)
• grpcs: conect on grpc port securely (TLS)

If you want to encrypt the gateway by default, you could configure the HTTP and gRPC server to use custom TLS credentials as well:

• TLS_KEY=file:///path/to/cert.key
• TLS_CA=file:///path/to/ca.pem
• TLS_CERT=file:///path/to/cert.pem

[buzzzo]

Thx.

To reduce the overlays i've disabled the docker-proxy in order to let nginx connect directly to the hoop.dev services.
Anyway no speed differences is noted but it's better to reduce the complexity.

Thx again