Dgraph + AWS + TLS (SSL)

Hello beautiful people!

Current Dgraph + AWS + TLS Result:


Goal:
A Cloudflare Workers server that is the only entity allowed to query a load balanced Dgraph database in AWS! Please feel free to update the ingredients + recipe, & I’ll update them as I learn from the best + arrive at a working solution!

Ingredients:

  • EC2 Instance (t2.micro + Ubuntu)
  • Elastic IP (1.1.1.1) :v:
  • EC2 Load Balancer
  • Route 53 Domain (example.com)
  • ACM Certificates
  • Dgraph Certificates (dgraph cert)

Recipe:

  1. Create EC2 Instance
  2. Add Dgraph to EC2 Instance
curl https://get.dgraph.io -sSf | bash
  1. Create dgraph certificates

dgraph cert -n example.com,1.1.1.1,localhost -c dgraphuser

  1. Create Elastic IP + assign to EC2 Instance
  2. Create Load Balancer + assign to EC2 Instance
  3. Create Security Group that only allows Cloudflare Workers to access Load Balancer (I’m confused here b/c I’m unsure what Cloudflares IP address is + how to align Security Groups between Load balancer + EC2)
  4. Create Domain + assign to EC2 Load Balancer
  5. Create ACM Certificates + assign to Domain (I’m confused here) (maybe instead I import dgraph’s ca.crt certificate & don’t create any ACM certificates?) (or maybe I add ACM certificates to Dgraph?)
  6. Start Dgraph w/ TLS
sudo su
dgraph zero --my=localhost:5080
dgraph alpha --my=localhost:7080 --lru_mb=1024 --zero=localhost:5080 --tls_dir tls --tls_client_auth VERIFYIFGIVEN
  1. In a Cloudflare Worker call our Dgraph database
fetch('https://example.com:8080/health')
  1. We arrive in Heaven! Thank you friends!

Resources:

  1. Cloudflare Workers Sandbox
  2. Cloudflare Workers Marketing
  3. Dgraph TLS Configuration

Hey,

I’m pretty familiar with cloudflare workers. I had a few thoughts here:

  1. Cloudflare publishes their IP addresses here https://www.cloudflare.com/ips/. You can put this into a security group
  2. Are you hoping to use the GRPC APIs or the GraphQL / JSON APIs? This is relevant because GRPC endpoints are not supported by AWS layer 7 load balancers (as they do not support H/2 to the backing instance). If you are ok with GraphQL endpoints, then you can set up a layer 7 ALB, set up an ACM certificate, then don’t need to put anything related to SSL in dgraph. Do note that layer 7ALBs still support H/2 outwards, just not to the backing service.
  3. Your exact model should work, but be reduced to much fewer steps ideally.
  4. If you do need GRPC, then the answer is a bit more complex, but basically you’ll need to use classic network load balancers, then set up everything as mentioned.

(though you may not get the benefits of GRPC because workers go into ‘sleep’ between requests, so models that maintain connections between requests might not work correctly)

2 Likes

From the screenshot, you are getting the response for /health. So, I presume your question is only about the Warning for the certificate presented and what is missing in the recipe.

I believe that warning is because the Dgraph Root CA is not trusted on the client (Cloudflare worker in your case)

In step (3),

When you create the tls directory using the dgraph cert command, the directory should have a ca.crt file. This is the Dgraph Root CA certificate. You will need to manually copy this certificate onto the Client (cloudflare worker) in its Trusted Root CA authorities section.
Here are some instructions for how to do this for Windows and Mac:

  1. https://windowsreport.com/install-windows-10-root-certificates/
  2. https://www.eduhk.hk/ocio/content/faq-how-add-root-certificate-mac-os-x

Let me know if this fixes the Warning.

1 Like

Oh, and I totally forgot. We are launching a managed GraphQL solution very soon (in weeks). That should solve a lot of your issues, and you’ll just have a /graphql endpoint to hit.

Write to me at tejas@dgraph.io if you are interested.

2 Likes

Thank you Tejas! I’m happy to hear you’re familiar with workers! The link of the Cloudflare ips is very enlightening thank you!

  1. My goal is to only allow a specific Cloudflare worker to access our AWS database, would adding all these ip’s allow any Cloudflare worker to access our database?!
  2. GRPC is not a requirement thank you for explaining how they interact with load balancers!
  3. My model isn’t working yet but I feel like we’re close, which steps do you believe we may reduce please?!

Thank you so much Paras!

The windows + mac installation links are very helpful, thank you!

I’m searching for what you’ve instructed “Cloudflare Worker Trusted Root CA Authorities Section” and searching the Cloudflare Docs for information on SSL, TLS, or Trusted Root CA Authorities Section without any results yet.

  1. Is this possible for Cloudflare Workers please?
  2. Or maybe is there a way to make the generated ca.crt certificate valid for all clients?
  3. And once the ca.crt certificate is generated how may I add it to the load balancer please?

Hi @chris-carrington,

What I meant is that your model will get significantly easier if you switch to Layer 7 load balancers (ALBs). Specifically you will no longer need to do step 3-9. Instead, you can create an ALB attach an ACM certificate, and set dgraph as the backend. The ALB can handle SSL termination, and forwards valid http requests in plaintext to dgraph.

You can get this to work with advanced routing. You can have all queries from your worker add a request header (say X-MyappSecurity: foobar), then Advanced Routing can reject all requests which are missing this header before it hits your dgraph instance.

Let me know if this would work for you.

1 Like

Hi Tejas! You are a wizard! Your explanation has really helped me understand Layer 7 ALB thank you so much! I’ve implemented ALB like you’ve requested, we now have a working certificate and I believe we’re super close now!

Here’s my results



Here’s what I’ve done

  1. Create EC2 Security Group

    • Inbound
    • All -> My IP
  2. Create EC2 Instance

    • Free Tier
    • Ubuntu
    • Storage 30 gib
  3. Add dgraph

  4. Start dgraph

    • SSH Terminal 1
      • su ubuntu
      • dgraph zero --my=localhost:5080
    • SSH Terminal 2
      • su ubuntu
      • dgraph alpha --my=localhost:7080 --lru_mb=1024 --zero=localhost:5080
    • Local Terminal 1
      • dgraph-ratel
      • Dgraph Server URL
      • http:// EC2 PUBLIC DNS :8080
  5. Create SSL Certificate from AWS ACM

    • Certificate Manager
    • Provision Certificate
    • Request a public certificate
    • Add domain names
    • DNS Validation
    • Create record in Route 53
    • Wait for status to be from Pending Validation to Issued
  6. Create Load Balancer Security Group

    • Inbound
      • All -> My IP
  7. Create Target Group

    • HTTP
    • Port: 8080
    • Health checks > Path > /health
    • Select Instance
    • Add Target Group Targets
      • Select EC2 Instance
      • Ensure at least 1 availability zone is where the EC2 instance lives
  8. Create ALB Load balancer

    • EC2 > Load Balancers
    • Create Load Balancer
    • Create Application Load Balancer
      • Scheme: Internet Facing
      • IP address type: ipv4
      • Load Balancer Protocol
        • HTTP
        • HTTPS
    • Select 2 availability zones
    • Choose a certificate from ACM
      • Select the certificate we just created
    • Security Group
      • Select Load balancer security group
    • Target Group
      • Select target group we just created
    • Listeners
      • 443 > SSL
  9. Update Route 53 Domain Mapping with ALB Name

    • Hosted Zones
    • Select domain address Type A
    • Change Alias to Yes
    • Alias Target = Application Load Balancer
1 Like

I got Dgraph + AWS + SSL working! Thank you @paras & @gja! I couldn’t have gotten here w/o your genius! For our community, here’s my steps to get this working! Please feel free to suggest enhancements!

Now I’m going to work on getting this working in Cloudflare Workers with @gja’s suggestions!

  1. Create EC2 Security Group

    • Inbound
    • All -> My IP
  2. Create EC2 Instance

    • Free Tier
    • Ubuntu
    • Storage 30 gib
  3. Add dgraph

  4. Start dgraph

    • SSH Terminal 1
      • su ubuntu
      • dgraph zero --my=localhost:5080
    • SSH Terminal 2
      • su ubuntu
      • dgraph alpha --my=localhost:7080 --lru_mb=1024 --zero=localhost:5080
    • Local Terminal 1
      • dgraph-ratel
      • Dgraph Server URL
      • http:// EC2 PUBLIC DNS :8080
  5. Create SSL Certificate from AWS ACM

    • Certificate Manager
    • Provision Certificate
    • Request a public certificate
    • Add domain names
    • DNS Validation
    • Create record in Route 53
    • Wait for status to be from Pending Validation to Issued
  6. Create Load Balancer Security Group

    • Inbound
      • All -> My IP
  7. Create Target Group

    • HTTP
    • Port: 8080
    • Health checks > Path > /health
    • Select Instance
    • Add Target Group Targets
      • Select EC2 Instance
      • Ensure at least 1 availability zone is where the EC2 instance lives
  8. Create ALB Load balancer

    • EC2 > Load Balancers
    • Create Load Balancer
    • Create Application Load Balancer
      • Scheme: Internet Facing
      • IP address type: ipv4
      • Load Balancer Protocol
        • HTTP
        • HTTPS
    • Select 2 availability zones
    • Choose a certificate from ACM
      • Select the certificate we just created
    • Security Group
      • Select Load balancer security group
    • Target Group
      • Select target group we just created
    • Listeners
      • 443 > SSL
  9. Update EC2 Security Group

    • Inbound
    • All -> ALB Load Balancer Security Group
  10. Update Route 53 Domain Mapping with ALB Name

    • Hosted Zones
    • Select domain address Type A
    • Change Alias to Yes
    • Alias Target = Application Load Balancer
1 Like