I have setup a Dgraph server and Ratel on a cloud host. I have added basic auth to the Ratel endpoint to provide some security, but the server endpoint is still unauthenticated.
Is there any option for protecting the server connection so I can have access via Ratel with some security?
Had the same problem with an unsecured Ratel console. Eventually, I ended up deploying an ingress controller that does https and authentication. Very hard to digest that problem hasn’t been solved two years later and Dgraph still ships with an unsecured web console in 2020.
Ratel supports TLS today. It will just ask you to accept the certificate. What won’t work is this via Nginx. You need to pass the TLS from Dgraph through Nginx. Which is a complex thing to do. But if you don’t use Nginx, you’ll notice that the Ratel works perfectly with TLS.
Sincere apologies for the difficulties you faced while adopting Dgraph. We’re willing to learn from you about the shortcomings which made it difficult for you to adopt and build application using Dgraph and fix them.
If you could spend a bit of your valuable time to share with us the list of topmost adoption hurdles in Dgraph, I’ll guarantee you that we’ll evaluate, test and get them fixed.
What’s the secret sauce to use a Dgraph client certificate with Ratel on macOS? The certificate Dgraph generates (using the documented commands, slightly modified) is considered revoked by Chrome. You can bypass this by typing thisisunsafe on the ERR_CERT_REVOKED page, but as far as I can tell there’s no way to convince the browser and/or OS to import the generated client certificate. Keychain Access just silently fails to import the p12 file. I’m assuming it’s because of the same error that triggered the revoked message, but it’s impossible to say as there are no logs (no dialog, nothing written to /var/log/*, nothing in log stream ... output).
This is probably not a Dgraph issue, but I’m hoping someone here knows the solution anyway.
Is there anyone using Ratel to access a Dgraph cluster configured with TLS and REQUIREANDVERIFY enabled on macOS? I have run out of things to try. I’m guessing it’s just flat out impossible at this point.
I’m not sure what I’m doing wrong then – Keychain Access won’t import the certificates (silently ignores), and the issue still occurs after forcing importing them manually from the command line:
(although these commands do result in the certificates appearing in Keychain Access).
Are you on the latest macOS? Did you upgrade from an earlier version and retain the configurations? I wonder if something like that would explain the difference.
For now I’m running a local nginx that proxies plain HTTP requests into a TLS tunnel using the client certificate.
When I tested it I was using Mojave, today I am using Catalina. I haven’t tested with Catalina tho.
I tried to do this with Nginx. I tried to see if I could pass through, the certificate. But I had given up, it seems that Nginx cannot see the TLS of an instance of Dgraph. However I personally do not have much experience with certificates, on Nginx.
If you remove Nginx from the equation, you will see that it works.
Is there any advantage to using this whole TLS feature, VS using a reverse proxy like traefik ?
I have dgraph running on https with certs generated by lets encrypt. The clients (and dgraph for that matter) don’t need to be concerned with manually dealing with certs…
In that case, stick with traefik. Unless you wanna add an extra layer of security for the internal network. The lets encrypt feature from Traefik is just fine.