Securing Ratel Server Connection

I have setup a Dgraph server and Ratel on a cloud host. I have added basic auth to the Ratel endpoint to provide some security, but the server endpoint is still unauthenticated.
Is there any option for protecting the server connection so I can have access via Ratel with some security?

Thanks,
Andrew

2 Likes

You can setup TLS between server (alpha) and client.

https://docs.dgraph.io/deploy/#tls-configuration

If server has TLS enabled, how would Ratel connect to it? There’s no way to pass certs from ratel to authenticate it…

Someone told me in the #dgraph slack that this functionality currently doesn’t exist for ratel. It should be available in the future.

1 Like

Had the same problem with an unsecured Ratel console. Eventually, I ended up deploying an ingress controller that does https and authentication. Very hard to digest that problem hasn’t been solved two years later and Dgraph still ships with an unsecured web console in 2020.

Ratel supports TLS today. It will just ask you to accept the certificate. What won’t work is this via Nginx. You need to pass the TLS from Dgraph through Nginx. Which is a complex thing to do. But if you don’t use Nginx, you’ll notice that the Ratel works perfectly with TLS.

@MichelDiz

I did noticed the absence of TLS behind a proxy and that’s the exact problem.

We don’t use NGINX. And we ditched Dgraph because, over time, fixing it became pathetic.

Thanks

1 Like

Hey @marvin-hansen,

Sincere apologies for the difficulties you faced while adopting Dgraph. We’re willing to learn from you about the shortcomings which made it difficult for you to adopt and build application using Dgraph and fix them.
If you could spend a bit of your valuable time to share with us the list of topmost adoption hurdles in Dgraph, I’ll guarantee you that we’ll evaluate, test and get them fixed.

What’s the secret sauce to use a Dgraph client certificate with Ratel on macOS? The certificate Dgraph generates (using the documented commands, slightly modified) is considered revoked by Chrome. You can bypass this by typing thisisunsafe on the ERR_CERT_REVOKED page, but as far as I can tell there’s no way to convince the browser and/or OS to import the generated client certificate. Keychain Access just silently fails to import the p12 file. I’m assuming it’s because of the same error that triggered the revoked message, but it’s impossible to say as there are no logs (no dialog, nothing written to /var/log/*, nothing in log stream ... output).

This is probably not a Dgraph issue, but I’m hoping someone here knows the solution anyway.

Is there anyone using Ratel to access a Dgraph cluster configured with TLS and REQUIREANDVERIFY enabled on macOS? I have run out of things to try. I’m guessing it’s just flat out impossible at this point.

Last time I tested TLS on Mac It was okay. (Using REQUIREANDVERIFY, I actually only tested TLS for that).

You have to incorporate the certificate on the OS. That way the browser will automatically recognize the certificate.

I’m not sure what I’m doing wrong then – Keychain Access won’t import the certificates (silently ignores), and the issue still occurs after forcing importing them manually from the command line:

security import dgraph-client.pem -k ~/Library/Keychains/login.keychain
security import dgraph-ca.pem -k ~/Library/Keychains/login.keychain

(although these commands do result in the certificates appearing in Keychain Access).

Are you on the latest macOS? Did you upgrade from an earlier version and retain the configurations? I wonder if something like that would explain the difference.

For now I’m running a local nginx that proxies plain HTTP requests into a TLS tunnel using the client certificate.

When I tested it I was using Mojave, today I am using Catalina. I haven’t tested with Catalina tho.

I tried to do this with Nginx. I tried to see if I could pass through, the certificate. But I had given up, it seems that Nginx cannot see the TLS of an instance of Dgraph. However I personally do not have much experience with certificates, on Nginx.

If you remove Nginx from the equation, you will see that it works.

Cheers.

Ratel works fine with TLS enabled and suports all possible tls_client_auth settings.

We have a documentation section on how to configure it:
https://docs.dgraph.io/deploy/#using-ratel-ui-with-client-authentication

And a section on troubleshooting:
https://docs.dgraph.io/deploy/#troubleshooting-ratel-s-client-authentication

If you’re having problems with specific client OS, browser or proxy server, chances are those other parts of your stack are not configured correctly.

The certificate Dgraph generates (using the documented commands, slightly modified) is considered revoked by Chrome

Most likely you need to add Dgraph’s root CA as trusted on the machine running Chrome
(exact steps would depend on your OS).

Is there any advantage to using this whole TLS feature, VS using a reverse proxy like traefik ?

I have dgraph running on https with certs generated by lets encrypt. The clients (and dgraph for that matter) don’t need to be concerned with manually dealing with certs…

In that case, stick with traefik. Unless you wanna add an extra layer of security for the internal network. The lets encrypt feature from Traefik is just fine.