Configure Zero HTTPS access with TLS options

Moved from GitHub dgraph/5422

Posted by danielmai:

Experience Report

Note: Feature requests are judged based on user experience and modeled on Go Experience Reports. These reports should focus on the problems: they should not focus on and need not propose solutions.

What you wanted to do

I wanted to be able to access Zero endpoints securely over TLS with client authentication (REQUIREANDVERIFY). This is so I can call the /assign endpoint to assign UIDs from my app securely. An unauthenticated request should not be able to access exposed Zero endpoints and potentially exhaust all possible UIDs.

What you actually did

There are no options to configure Zero with TLS.

Why that wasn’t great, with examples

Alpha has TLS options to configure secure connections including client-auth settings for mutual TLS. While Zero is typically is not accessible via the client, it’s still needed for (example):

  • Dgraph Live Loader
  • Dgraph Bulk Loader
  • Using /assign to assign UID leases manually to manage UID assignment from my app.

I can configure Alpha with mTLS to ensure that only clients with the clientcert can communicate with Dgraph, but anyone who has access to Zero’s HTTP port can run Zero endpoints like /assign.

Any external references to support your case

This is related to #3048 which is about setting up TLS for gRPC connections.