Hi,
This is my first email to this mailing list:-)
In some situations, Kafka-clients cannot directly hook to brokers.
There will be few reverse-proxies between them, with some of these
proxies serving as SSL terminator.
There are lots of articles about how to setup Kafka with TLS
encryption. However, I don't find articles about how to run broker
behind a proxy with SSL termination.
After tons of trial and error, I managed to use Nginx TCP-stream as
proxy (see the configuration bellow). I'm wondering if I'm on the right
track (question-1, q1)? I have more questions about SSL termination:
q2: if we are using Nginx to terminate SSL, how can we pass
client-side certificate/distributed-name (like
"CN=quickstart.confluent.io,OU=TEST,O=Sales,L=PaloAlto,ST=Ca,C=US") as a
valid "principal" to broker in order to enable Acl rules?
q3: What are the pros/cons of using SSL terminator? In particular
from performance's perspective.
Thanks!
Shuxin
This is my configuration, I have 3-node (docker), both nginx and borker
run on the node. The name for node/broker is km[1-3].mykafka.dev.org.
nginx TCP-stream,
---------------------------------------------------
stream {
server {
listen 19093;
proxy_pass 172.30.0.2:9093;
}
server {
listen 19094 ssl;
ssl_certificate /home/lol/host_data/credentials/broker.pem;
ssl_certificate_key
/home/lol/host_data/credentials/broker.key.nopass;
proxy_pass 172.30.0.2:9094;
}
}
----------------------------------------------------
This is the configuration for broker
listeners=MY_INTERNAL://:9092,MY_EXT1://:9093,MY_EXT2://:9094
advertised.listeners=MY_INTERNAL://:9092,MY_EXT1://km1.mykafka.dev.org:19093,MY_EXT2://km1.mykafka.dev.org:19094
listener.security.protocol.map=MY_INTERNAL:PLAINTEXT,MY_EXT1:PLAINTEXT,MY_EXT2:PLAINTEXT
inter.broker.listener.name=MY_INTERNAL
