grpc server ruby with TLS/SSL - ruby

I am trying to implement a secure gRPC TLS connection between a ruby client and a ruby server. I am unable to figure out how to configure the server to use the secure connection.
In production, our server is implemented in Go. However, we have been unable to connect to it from ruby by anything other than an insecure connection. I have been tasked with creating a reference TLS connection to show a secure connection from a ruby client will work.
I have the grpc quickstart example greeter working for ruby as an insecure connection.
In the gRPC authentication documentation the Go example replaces this
s := grpc.NewServer()
with this
creds, _ := credentials.NewServerTLSFromFile(certFile, keyFile)
s := grpc.NewServer(grpc.Creds(creds))
for ruby there is this in the quickstart greeter app
s = GRPC::RpcServer.new
but I have been unable to find how to create a secure server.
The requirements include that we must have the server validate the client's public key as trusted in order to allow access to the server. (The client will also need to trust the server's public key to validate the server.)

I've not used Ruby w/ gRPC but am familiar with the Golang SDK.
See here for what appears to be a Ruby gRPC server w/ TLS:
https://developers.google.com/maps-booking/legacy/booking-server-code-samples/gRPC-v0-legacy/partner-api-ruby

Related

Client could not find service in gRPC server

https://pastebin.com/7vqdrHyg greet.proto
https://pastebin.com/4PYDYZ6Q greet_grpc.pb.go
https://pastebin.com/2n6n8JjS greet_pb.go
https://pastebin.com/FPpCJEGR main.go
https://pastebin.com/CXuxG5fB handler/greet.go
I have implemented a simple grpc server using Golang. The server accepts a connection from a client and returns a simple response message.
I have a Python client that is trying to connect to the server through localhost:8080.
The gRPC code for the client and server are created with the same IDL interface.
https://pastebin.com/RLp3QUWX client.py
However, the connection is unsuccessful and I got the following error.
https://pastebin.com/Cji9Pkhj
I don't know how GreetService is called at the server side, but I assumed that the interface is defined somewhere in greet_grpc.pb.go
UPDATE: I have pushed the code to this repo for better readability.

Is there a way to use the cloud run tls certificates from within my golang server?

I'd like to use the net/http's ListenAndServeTLS function to provide secure connection for my websockets (wss).
The app is dropped under Cloud Run, and since ListenAndServeTLS requires the certFile & keyFile params (pem & key), is there a way to use those within my server file?
Or is there a better way to get the websockets working under https? (without the secure connection, its just ws, and it just fail with this message:
Failed to construct 'WebSocket': An insecure WebSocket connection may not be initiated from a page loaded over HTTPS.

Gateway API - Apache APISIX with Secured Websockets

I am trying to add an API Gateway to a client-server system, which communicates through WebSockets.
The Server is an audio recognition engine that sits in a remote machine, and clients are connecting to it through WebSockets ('wss://...'), sending audio files and receiving their text translate representation.
My main goal is to add a free open-source API Gateway in the middle in order to authenticate\authorize\rate limit\etc (Tried Kong\Tyk\krakenD, but they are not free).
After searching the web, I focused on Apache APISIX gateway.
As a test, I managed to connect the APISIX to a client-server which communicates by http/https and it worked fine.
Moreover, I managed to connect the client with the server on regular websocket connection (ws://) and the data transactions were successful, but no matter what I do I cant connect to the secured connection. Are there any special configurations I should edit in the dashboard?
I'm wondering if anyone knows from experience if it's possible to use
the secured WebSockets with Apache APISIX and if yes, how exactly it should be done - because the docs are missing any informative info\examples, or if there are better solutions known to my problem.
The only WebSocket reference in APISIX dashboard -
What you should do is create an SSL object (you can find it in the sidebar on the left side). See https://apisix.apache.org/docs/apisix/admin-api/#ssl to learn the APISIX SSL object.
You can see an example at https://apisix.apache.org/docs/apisix/certificate
The SSL object provides the required TLS Certificate and Private Key so that this key pair can be used in a TLS handshake according to the TLS SNI sent from clients. After that, your client established a secured connection with APISIX, and now you can send the WebSocket traffic securely.

how to make golang grpc clients follow redirects

I have a server that redirects to server:443 when connecting to server:80. I have a grpc client that is connecting to server:80 with
clientConn, err = grpc.Dial("server:80", grpc.WithTransportCredentials(credentials.NewTLS(config)))
Its throwing a "tls: first record does not look like a TLS handshake" error. Is there a way to make the client follow the redirects?
gRPC client does not handle 302 redirects. See this https://github.com/grpc/grpc-java/issues/5330 - this is for Java but also applies to Golang.

How can I make my Windows C++/OpenSSL application proxy-aware?

I'm working on a desktop C++ application which uses OpenSSL sockets (a raw TLS socket, not HTTPS) to communicate with our server.
One of our clients are required to route their traffic through a proxy. The client is using ZScaler in Tunnel with Local Proxy mode.
In theory, it's possible to reconfigure ZScaler to force our traffic through a proxy chosen by ZScaler. However, I want to investigate solutions where our application uses the Windows OS-level proxy settings rather than relying on ZScaler configuration.
I've read this post:
openssl s_client using a proxy
But I'm uncertain whether those answers apply to my situation, because that user didn't mention whether they're using Windows or Linux, and they appear to be talking about an HTTP/HTTPS proxy. Also, that question appears to be asking about the s_client function, rather than simply creating a TLS socket to my server through a "Tunnel with Local Proxy" on Windows.
So, my questions are:
Can OpenSSL be used to open an SSL socket to a server through Tunnel with Local Proxy?
Can we make an OS call to determine the IP/socket for the Tunnel with Local Proxy configuration?
If this is possible, then I have another question: suppose we have a single proxy at 10.100.10.0:5000.
If one user in our client's office opens a socket to our server via their proxy, will a 2nd user be unable to connect from their office because they're bottlenecked at single proxy socket?
Put another way: what is the standard way of implementing proxy-awareness for a Windows application using OpenSSL?
Note: This question was originally posted to Network Engineering stack exchange, but it was closed because it refers to an issue above OSI layer 4.
Note: I'm looking for a solution that does not require administrator permissions on the user PC. I would prefer for our application to discover and use OS-level proxy settings without making any administrative changes to the machine, i.e. by calling netsh.
Can OpenSSL be used to open an SSL socket to a server through Tunnel with Local Proxy?
OpenSSL doesn't do it for you but OpenSSL does not prevent it either. The tunnel has to be established before you do the TLS handshake to the endpoint. Depending on what kind of proxy this is you might need to use a HTTP CONNECT method for this or might need to use the SOCKS protocol or whatever your proxy requires. In case of ZScaler this is likely the HTTP CONNECT method but you need to make sure that the connection to the target IP and port is actually allowed by the security policy.
Once you've established the tunnel to the endpoint using the proxy you can just build the SSL socket on top of the TCP socket for the tunnel. Just do the usual SSL setup (i.e. SSL_new etc) and then associate the SSL object with the existing socket using SSL_set_fd. Then proceed as usual with the handshake, i.e. SSL_connect or similar.
Can we make an OS call to determine the IP/socket for the Tunnel with Local Proxy configuration?
I don't know but Winsock use system proxy settings might answer this part.
If one user in our client's office opens a socket to our server via their proxy, will a 2nd user be unable to connect from their office because they're bottlenecked at single proxy socket?
This should not be a problem. It is perfectly normal to have multiple connections through the proxy.

Resources