Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support direct use of SSL on the HTTP auth/websocket #176

Merged
merged 1 commit into from
Mar 21, 2018

Conversation

sinbad
Copy link
Contributor

@sinbad sinbad commented Mar 19, 2018

Presently Nakama requires the use of a separate SSL terminator such as a load balancer. This adds additional complexity, resource usage and cost - if you set up Load Balancer on Google Cloud Platform to do the job, it actually costs more than a small instance to run. You can set up Nginx locally to do it, but this is another moving part which needs configuring & maintaining, uses system resources, and which can potentially fail.

Small devs using Nakama in limited scenarios may want to keep things small and simple, taking the risk of running a single node cheaply (they couldn't run multiple nodes without Enterprise anyway) while still protecting user data by using SSL (you can use self-signed certificates securely, see related PR for Unity client heroiclabs/nakama-unity#60).

This PR allows you to configure an ssl cert/key combo for the Nakama server itself, meaning you can use the server directly instead of via an intermediary. This is clearly not as robust as using 3rd party proxy services to help with DDoS protection etc, but a dev running the server on a single node is already making the trade-off of resilience for simplicity / cost, so it's a valid usage scenario for some.

I'm prepared that this PR might not be accepted since it's not a recommended configuration, but @mofirouz encouraged me to submit it in case it's of use to someone anyway.

if len(sockConfig.SSLCertificate) > 0 && len(sockConfig.SSLPrivateKey) > 0 {
cer, err := tls.LoadX509KeyPair(sockConfig.SSLCertificate, sockConfig.SSLPrivateKey)
if err != nil {
a.logger.Error("Loading SSL certs failed", zap.Error(err))
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We'll need to make this into FATAL to ensure that the server doesn't start with invalid config values, aka fail fast, as this could make developers confused as to why SSL certs were given but unused. I'll make this code change on master.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ah OK, thanks. I wasn’t sure what the expected error level was and erred on the side of not stopping the startup but that makes sense.

Copy link
Member

@mofirouz mofirouz left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Very nice. Thanks for this :)

@mofirouz mofirouz merged commit fd10c50 into heroiclabs:master Mar 21, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants