Securing the server¶
Senior
Hi… I hope you rested last night!
Come on, I need your help here!
Junior
Good morning! What’s the matter? Sounds worrying
Senior
We forgot to take the most basic security measures when deploying our services. Every body at the company can access the services and the information is transferred in clear text.
Junior
Oh! Damn, you’re right! You think we can do anything to solve this mess?
Senior
Yes, I’m pretty sure that those smart guys have thought on that when building Kapow! Have a look at the documentation.
Junior
Got it! They did it, here’re the instictions to start a server with HTTPS support.
It’s amazing! It says we can even use mTLS to control access, really promising.
Senior
Ok, ok… First thigs first. We need to get a server certificate to start working with HTTPS. Fortunately we can ask for one to the CA we use for the other servers. Let’s pick up one for development, they’re quick to get.
Junior
Yeah! I’ll change the startup script to configure HTTPS:
$ kapow server --keyfile /etc/kapow/tls/keyfile \ --certfile /etc/kapow/tls/certfile \ /etc/kapow/awesome-routeIt’s easy, please copy the private key file and certificate chain to
/etc/kapow/tls
and we can restart.
Senior
Great! it’s working, communications are secured. Let’s say everybody to change from http to https.
Junior
Ok, did it. What are the steps to follow to limit access by using mTLS?
Senior
Besides configuring the server we need to provide the users with their own client certificates and private keys so they can configure their browsers and the application server.
Junior
Yes, please give me the CA certificate that will issue our client certificates and I’ll change the startup script again
$ kapow server --keyfile /etc/kapow/tls/keyfile \ --certfile /etc/kapow/tls/certfile \ --clientauth true \ --clientcafile /etc/kapow/tls/clientCAfile \ /etc/kapow/awesome-routeDone!
Senior
Ok, let’s communicate the changes to all the affected teams before we restart
Junior
Oh God, After all we’re starting to look like Google
(chuckles)