Mutual TLS身份验证设置在Vespa数据平面上存在问题。

huangapple go评论70阅读模式
英文:

Issue with Mutual TLS Authentication Setup on Vespa Data Plane

问题

我已经在我的Vespa数据平面上设置了双向TLS认证,通过配置TLS证书,按照Vespa安全指南中概述的步骤进行操作:https://cloud.vespa.ai/en/security/guide。 这个过程包括生成客户端应用程序的TLS证书和私钥。

然而,在完成设置后,我注意到我的客户端服务器仍然能够在不提供所需的双向证书的情况下向Vespa发出请求。 根据我的理解,Vespa应该在满足请求之前要求客户端提供有效的证书进行认证。

以下是我遵循的步骤:

我使用以下命令为我的Vespa数据平面生成了TLS证书:
vespa auth cert --application <tenant>.<app>.<instance>
这将生成所需的证书和私钥文件。

然后,我使用以下命令准备并激活了Vespa:
vespa-deploy prepare
vespa-deploy activate
vespa deploy

然而,即使完成了这些步骤,客户端服务器仍然可以访问Vespa的数据,而无需提供任何证书进行认证。
我想确保Vespa执行双向TLS认证,并要求客户端在处理任何请求之前提供有效的证书。

英文:

I have set up mutual TLS authentication on my Vespa Data Plane by configuring a TLS certificate, following the steps outlined in the Vespa security guide:
https://cloud.vespa.ai/en/security/guide.
The process involved generating a TLS certificate and private key for the client application.

However, after completing the setup, I noticed that my client server is still able to make requests to Vespa without providing the required mutual certificate. According to my understanding, Vespa should have requested the client to provide a valid certificate for authentication before fulfilling the request.

Here are the steps I followed:

I generated the TLS certificate for my Vespa Data Plane using the command:
vespa auth cert --application <tenant>.<app>.<instance>
This generated the necessary certificate and private key files.

I then prepared and activated Vespa using the commands:
vespa-deploy prepare
vespa-deploy activate
vespa deploy

However, even after completing these steps, the client server can still access Vespa's data without providing any certificate for authentication.
I want to ensure that Vespa enforces mutual TLS authentication and requires the client to present a valid certificate before processing any requests.

答案1

得分: 1

我不确定这是否回答了你的问题,但 https://github.com/vespa-engine/sample-apps/tree/master/examples/operations/multinode-HA#secure-vespa-with-mutually-authenticated-tls 提供了一个mTLS配置的模板。

英文:

I am not sure if this answers your question, but https://github.com/vespa-engine/sample-apps/tree/master/examples/operations/multinode-HA#secure-vespa-with-mutually-authenticated-tls provides a template for mTLS configuration

huangapple
  • 本文由 发表于 2023年7月27日 21:59:17
  • 转载请务必保留本文链接:https://go.coder-hub.com/76780524.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定