Questions about TLS

When should we use flag
flag.Bool("tls.use_system_ca", false, "Include System CA into CA Certs.")
from golang client?

Maybe, when you generate your own signed CA file or may be also one from letsencrypt as they are system signed file.

Purchased one like from comodo or others , CA files are available in public directory, so it doesn’t require to point specially.

When I using TLS for servers, is it TLS connections between replicas servers too?

Currently TLS connections are only between clients and servers, not between the servers themselves.

2 Likes

How I can use TLS with zero server? If I using

/state
or
/removeNode?id=3&group=2

it’s can do any person who knows ip.

Keep Zero in a private network accessible to the Server(s). It doesn’t need to have a public IP.

Currently TLS configuration is between clients and servers. Communication of Server-to-Server and Server-to-Zero is not encrypted, so it’s best to have them communicate within a private network.

For high availability, I using 3 servers for replication in different data centers. And I need public IP for communication between servers.
Can I using

https://some.site:5080 
or 
https://some.site:7080

for TLS communication between servers?

Servers can be in different data centers and be within the same private network.

Server-to-server communication will not happen over TLS at this time.

does docker swarm overlay network consider secure server to server?
https://docs.docker.com/v17.09/engine/userguide/networking/overlay-security-model/

1 Like

Yes, setting up IPSec tunnels like Docker Swarm encrypted overlay networks would encrypt the network traffic between the Dgraph Servers.

2 Likes