Setting Loklak Server with SSL
Loklak Server is based on embedded Jetty Server which can work both with or without SSL encryption. Lately, there was need to setup Loklak Server with SSL. Though the need was satisfied by CloudFlare. Alternatively, there are 2 ways to set up Loklak Server with SSL. They are:-
1) Default Jetty Implementation
There is pre-existing implementation of Jetty libraries. The http mode can be set in configuration file. There are 4 modes on which Loklak Server can work: http mode, https mode, only https mode and redirect to https mode. Loklak Server listens to port 9000 when in http mode and to port 9443 when in https mode.
There is also a need of SSL certificate which is to be added in configuration file.
2) Getting SSL certificate with Kube-Lego on Kubernetes Deployment
I got to know about Kube-Lego by @niranjan94. It is implemented in Open-Event-Orga-Server. The approach is to use:
a) Nginx as ingress controller
For setting up Nginx ingress controller, a yml file is needed which downloads and configures the server.
The configurations for data requests and response are:
proxy-connect-timeout: "15" proxy-read-timeout: "600" proxy-send-imeout: "600" hsts-include-subdomains: "false" body-size: "64m" server-name-hash-bucket-size: "256" server-tokens: "false"
Nginx is configured to work on both http and https ports in service.yml
ports: - port: 80 name: http - port: 443 name: https
b) Kube-Lego for fetching SSL certificates from Let’s Encrypt
Kube-Lego was set up with default values in yml. It uses the host-name, email address and secretname of the deployment to validate url and fetch SSL certificate from Let’s Encrypt.
c) Setup configurations related to TLS and no-TLS connection
These configuration files mentions the path and service ports for Nginx Server through which requests are forwarded to backend Loklak Server. Here for no-TLS and TLS requests, the requests are directly forwarded to localhost at port 80 of Loklak Server container.
rules: - host: staging.loklak.org http: paths: - path: / backend: serviceName: server servicePort: 80
For TLS requests, the secret name is also mentioned. Kube-Lego fetches host-name and secret-name from here for the certificate
tls: - hosts: - staging.loklak.org secretName: loklak-api-tls
d) Loklak Server, ElasticSearch and Mosquitto at backend
These containers work at backend. ElasticSearch and Mosquitto are only accessible to Loklak Server. Loklak Server can be accessed through Nginx server. Loklak Server is configured to work at http mode and is exposed at port 80.
ports: - port: 80 protocol: TCP targetPort: 80
To deploy the Loklak Server, all these are deployed in separate pods and they interact through service ports. To deploy, we use deploy script:
# For elasticsearch, accessible only to api-server kubectl create -R -f ${path-to-config-file}/elasticsearch/ # For mqtt, accessible only to api-server kubectl create -R -f ${path-to-config-file}/mosquitto/ # Start KubeLego deployment for TLS certificates kubectl create -R -f ${path-to-config-file}/lego/ kubectl create -R -f ${path-to-config-file}/nginx/ # Create web namespace, this acts as bridge to Loklak Server kubectl create -R -f ${path-to-config-file}/web/ # Create API server deployment and expose the services kubectl create -R -f ${path-to-config-file}/api-server/ # Get the IP address of the deployment to be used kubectl get services --namespace=nginx-ingress
References
- kube-lego with GCE ingress controller: https://github.com/jetstack/kube-lego/tree/master/examples/gce
- What’s the difference between SSL, TLS, and HTTPS: https://security.stackexchange.com/questions/5126/whats-the-difference-between-ssl-tls-and-https
- Standalone HTTPS with Jetty: https://wiki.opennms.org/wiki/Standalone_HTTPS_with_Jetty