New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
DOCUMENT how to have NATS behind TLS terminating proxy #1131
Comments
As a test I made the following change to the library and the connection works diff --git a/src/main/java/io/nats/client/Options.java b/src/main/java/io/nats/client/Options.java
index a3f94613..d8f6a801 100644
--- a/src/main/java/io/nats/client/Options.java
+++ b/src/main/java/io/nats/client/Options.java
@@ -2108,7 +2108,7 @@ public class Options {
* @return true if there is an sslContext for these Options, otherwise false, see {@link Builder#secure() secure()} in the builder doc
*/
public boolean isTLSRequired() {
- return sslContext != null;
+ return false;
}
/** So what is needed is an option to force the client not to require TLS even if As an aside, the option |
Okay - it seems using |
Yes, TLS first doesn't do the same checking. |
Would it be worth keeping this ticket or creating a new one to update the docs? Because they had me chasing my tail for a while there; and I only stumbled on the right answer by reading the code. |
We have only recently had requests for dealing with reverse proxy, in fact before we explicitly did not want to support it. I will re-open and change this issue to a documentation issue. As of 2.17.7-SNAPSHOT, we can now support tls proxy termination where the client to proxy is tls, but the proxy to server is insecure. |
Observed behavior
I am attempting to deploy NATS in AWS EKS with an NLB running a TLS terminating reverse proxy.
Clients inside the cluster will talk to NATS using plaintext.
I following the guidance in the documentation to set up the Java client but I am seeing
Expected behavior
I expect the Java NATS client to connect to the NATS server behind an TLS terminating reverse proxy with the documented workaround.
Server and client version
Server is installed from Helm chart
1.1.11
which deploysnats:2.10.14-alpine
sha81f36bfe9dfef7cd3768abaf55fc309123cf6bf1cb0d8305a6700ff36034b93bz
Client is
io.nats:jnats:2.17.6
Host environment
Not sure it's relevant, but test client is Mac OS Sonoma 14.4.1 Apple M2 with GraalVM CE 21.0.2+13.1 (build 21.0.2+13-jvmci-23.1-b30)
Steps to reproduce
Deploy NATS to AWS EKS using the specified helm chart, with the AWS Ingress controller and the following service annotations
This should provision and NLB with TLS termination on port 4222 available on an external IP address with a DNS name.
Set up the NATS config as described in the documentation and attempt to connect.
As the server does not have TLS enabled nor required - it cannot do as it does not run TLS and clients inside the cluster communicate in plain text - and the client requires TLS due to:
Once the NATS client connects to the server, the following check fails
The text was updated successfully, but these errors were encountered: