What is the correct way to terminate SSL

[Shuxin Yang <sh...@gmail.com>]

Hi,

     This is my first email to this mailing list:-)

     In some situations, Kafka-clients cannot directly hook to brokers. 
There will be few reverse-proxies between them, with some of these 
proxies serving as SSL terminator.

     There are lots of articles about how to setup Kafka with TLS 
encryption. However, I don't find articles about how to run broker 
behind a proxy with SSL termination.

   After tons of trial and error, I managed to use Nginx TCP-stream as 
proxy (see the configuration bellow). I'm wondering if I'm on the right 
track (question-1, q1)? I have more questions about SSL termination:

     q2: if we are using Nginx to terminate SSL, how can we pass 
client-side certificate/distributed-name (like 
"CN=quickstart.confluent.io,OU=TEST,O=Sales,L=PaloAlto,ST=Ca,C=US") as a 
valid "principal" to broker in order to enable Acl rules?

     q3: What are the pros/cons of using SSL terminator? In particular 
from performance's perspective.

Thanks!

Shuxin


This is my configuration, I have 3-node (docker),  both nginx and borker 
run on the node. The name for node/broker is km[1-3].mykafka.dev.org.

nginx TCP-stream,

---------------------------------------------------

  stream {
     server {
         listen  19093;
         proxy_pass 172.30.0.2:9093;
     }

     server {
         listen  19094 ssl;
         ssl_certificate /home/lol/host_data/credentials/broker.pem;
         ssl_certificate_key 
/home/lol/host_data/credentials/broker.key.nopass;
         proxy_pass 172.30.0.2:9094;
     }
}
----------------------------------------------------

This is the configuration for broker

listeners=MY_INTERNAL://:9092,MY_EXT1://:9093,MY_EXT2://:9094
advertised.listeners=MY_INTERNAL://:9092,MY_EXT1://km1.mykafka.dev.org:19093,MY_EXT2://km1.mykafka.dev.org:19094
listener.security.protocol.map=MY_INTERNAL:PLAINTEXT,MY_EXT1:PLAINTEXT,MY_EXT2:PLAINTEXT
inter.broker.listener.name=MY_INTERNAL