docs: Add page about securing envoy to quick-start#13880
docs: Add page about securing envoy to quick-start#13880mattklein123 merged 31 commits intoenvoyproxy:masterfrom
Conversation
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
|
/retest |
|
Retrying Azure Pipelines: |
This reverts commit e733b2e. Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
|
@mattklein123 this one is nearly ready for final review - its taking a while as i was testing as i was writing it. i still need to add/update some links and some small formatting/grammar issues |
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
Signed-off-by: Ryan Northey <[email protected]>
phlax
changed the title
|
@mattklein123 this one should be ready for final review |
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks this is awesome. A few comments to get started.
/wait
| The following guide takes you through individual aspects of securing traffic. | ||
|
|
||
| To secure traffic over a network that is untrusted, you are strongly advised to make | ||
| use of :ref:`SNI <start_quick_start_securing_sni>` *and* :ref:`mTLS <start_quick_start_securing_mtls>` |
There was a problem hiding this comment.
re: SNI, I would rephrase this, as I don't think it's required to use SNI. In some sense, SNI is just a routing concept (setting aside TLS1.3 encrypted SNI which breaks all of this).
re: mTLS, I might rephrase this slightly, as the way this is written will be contentious with some people. There is a set of people that think mTLS is too complicated and per-request (signing, etc. like JWT) is a better way to handle mutual authentication. I think mTLS is one way of doing this, but it would be good to rephrase slightly and potentially link to some of the per-request options such as JWT/Oauth/etc.
There was a problem hiding this comment.
so re SNI, my understanding is that it prevents a type of spoofing - ie valid certs for wrong server (maybe this is wrong).
ill remove this/related advice and try to clarify what is written about it...
re mTLS - got it (i think) - ill make the warning about mutual authentication and encryption, and suggest this as a way to address those problems
There was a problem hiding this comment.
so re SNI, my understanding is that it prevents a type of spoofing - ie valid certs for wrong server (maybe this is wrong).
yep, from further testing, this is wrong.
sni "allows" multiple domains to be served at same ip with different certs. I guess browsers just automatically use the dns name here.
From envoy configuration pov i guess the advice is still that its best to put the dns of upstream in tls cluster config
Im less clear how important it is to include in sec section, but ill try and reword and we can figure what/whether to include
|
|
||
| .. _start_quick_start_securing_sni: | ||
|
|
||
| Secure an endpoint with SNI |
There was a problem hiding this comment.
Per above, SNI is about routing, not about security. It's actually not secure at all (until encrypted SNI in TLS 1.3). Can you check this around the doc and update/rephrase as needed?
There was a problem hiding this comment.
so i get its called routing but my understanding is that it just "addresses" the other side with an "sni" name
certainly in my testing, dns had no bearing here - as long as the sni name matched what was in the match list (or there was no match list) then it worked
if there was a match list then the sni has to be set (dns also had no bearing in this case)
in terms of the title for this section - how about "Validating certificates with SNI" ?
i feel like we want to include sni here, and that it is sufficiently related to cert sec, but struggling to think how to word the section title
Signed-off-by: Ryan Northey <[email protected]>
|
@mattklein123 ive updated the SNI sections, and the initial warning about using auth/encryption. Im still not 100% about the sni stuff, but i think this is closer to what we want. I read the existing faq page, and anything else in the existing envoy docs. I tried playing with the I guess the main difference between what i have tried to add here and what is in the faq already re sni, is why people would want/need to use it - from both server and client perspectives. |
|
for reference these are the nginx docs related to sni https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/#server-name-indication |
|
also, not sure if this is necessary for first iteration - but would probs be good to get something about ocsp stapling in here |
|
@mattklein123 it would be good to land this - ive posted it to users on slack twice in as many days - i think its pretty useful, and we can iterate |
mattklein123
left a comment
mattklein123
left a comment
There was a problem hiding this comment.
Thanks this is great. Agreed we can ship and iterate. See my one follow up comment below. Thank you!
| Here we provide a guide to using :ref:`mTLS <start_quick_start_securing_mtls>` which provides both encryption | ||
| and mutual authentication. |
There was a problem hiding this comment.
We can do it as a follow up, but I think it would be good to cross link here to other authentication and authorization concepts such as JWT/RBAC/OAUTH/etc.
There was a problem hiding this comment.
cool, i have some other pending PRs around here, i reckon i can tack something on
2 participants
Signed-off-by: Ryan Northey [email protected]
Commit Message: docs: Add page about securing envoy to quick-start
Additional Description:
Risk Level:
Testing:
Docs Changes:
Release Notes:
Platform Specific Features:
[Optional Runtime guard:]
[Optional Fixes #Issue]
[Optional Deprecated:]