Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Ideas] From a users perspective #607

Open
Th3Whit3Wolf opened this issue Oct 12, 2019 · 6 comments
Open

[Ideas] From a users perspective #607

Th3Whit3Wolf opened this issue Oct 12, 2019 · 6 comments
Labels
enhancement integration oscp
Milestone
v1.1.0

Comments

@Th3Whit3Wolf
Copy link

Hey I stumbled onto this project and I super excited and have some things as a user would be nice to see.

  1. Link to documentation from the README.md.
  2. Have option to automatically setup Let's encrypt
  3. Have an optional UI for metrics similar to traefik's
@polarathene
Copy link

polarathene commented Nov 21, 2019
edited
Loading

It'd also be good to know about support/config for:

  • OCSP Stapling / must-staple(and if it avoids the issue that nginx/apache have by instead prefetching certs to staple in advance instead of insecure initial connections).
  • TLS Session ID Cache and Session Tickets(and key rotation support).
  • Cipher & curve selection and preferences(with nginx this is problematic for TLS 1.3, apparently due to OpenSSL API have two distinct calls for TLS 1.2 and TLS 1.3 ciphersuites but nginx using only 1 param).
  • etc.

@Geal Geal added this to the 0.14 milestone Jul 29, 2021
@Keksoj Keksoj modified the milestones: v0.14.0, v1.0.0 Feb 18, 2022
@Keksoj Keksoj modified the milestones: v1.0.0, v1.1.0 Feb 18, 2022
@theAkito
Copy link

theAkito commented Nov 2, 2023

Been reading all documentation & have found only one place about where to set TLS certificates. Otherwise, no information whatsoever on Let's Encrypt.

Just found this issue, where its last comment points to an already archived project.

So, does not feel at all, like this project is confident in working with Let's Encrypt....

@polarathene
Copy link

Just found this issue, where its last comment points to an already archived project.

So, does not feel at all, like this project is confident in working with Let's Encrypt....

Look at the archived repo last commit, it updates the README with this:

This repository has been integrated into the main Sōzu repository.)
It is available directly from the command line of Sōzu.

Thus it's already upstreamed into sozu, so quick search for acme on merged PRs and you'll find this: #862

Dec 2022, like the date of archived repo. However, that search result will also make this May 2023 change visible: #929

You want to track these issues:

found only one place about where to set TLS certificates.

Wild guess, was it this clusters config example?:

frontends = [
  { address = "0.0.0.0:8080", hostname = "lolcatho.st" },
  { address = "0.0.0.0:8443", hostname = "lolcatho.st", certificate = "../lib/assets/certificate.pem", key = "../lib/assets/key.pem", certificate_chain = "../lib/assets/certificate_chain.pem" }
]

You can find similar without the cluster config shared in existing issues: #774 (comment)

frontends = [
  { address = "127.0.0.1:1444", hostname = "domain", certificate = "/etc/domain/cert.pem", key = "/etc/domain/key.pem", certificate_chain = "/etc/cloudflare/chain.pem" }
]

So presumably that's the way to configure your TLS certificate, it's just not documented well from the looks of it.

Regarding LetsEncrypt, well there's nothing that special about it... In the meantime you can just use a separate tool like certbot to provision from an ACME provider. You just need the files and any direct ACME integration with services (like you'd find with Caddy) is an additional convenience, but not essential 🤷‍♂️

@theAkito
Copy link

theAkito commented Nov 3, 2023

Just found this issue, where its last comment points to an already archived project.
So, does not feel at all, like this project is confident in working with Let's Encrypt....

Look at the archived repo last commit, it updates the README with this:

This repository has been integrated into the main Sōzu repository.)
It is available directly from the command line of Sōzu.

Thus it's already upstreamed into sozu, so quick search for acme on merged PRs and you'll find this: #862

Dec 2022, like the date of archived repo. However, that search result will also make this May 2023 change visible: #929

You want to track these issues:

* [Implements a fully-featured acme integration #926](https://github.com/sozu-proxy/sozu/issues/926)

* [ACME integration #686 (comment)](https://github.com/sozu-proxy/sozu/issues/686#issuecomment-1666559267)

found only one place about where to set TLS certificates.

Wild guess, was it this clusters config example?:

frontends = [
  { address = "0.0.0.0:8080", hostname = "lolcatho.st" },
  { address = "0.0.0.0:8443", hostname = "lolcatho.st", certificate = "../lib/assets/certificate.pem", key = "../lib/assets/key.pem", certificate_chain = "../lib/assets/certificate_chain.pem" }
]

You can find similar without the cluster config shared in existing issues: #774 (comment)

frontends = [
  { address = "127.0.0.1:1444", hostname = "domain", certificate = "/etc/domain/cert.pem", key = "/etc/domain/key.pem", certificate_chain = "/etc/cloudflare/chain.pem" }
]

So presumably that's the way to configure your TLS certificate, it's just not documented well from the looks of it.

Regarding LetsEncrypt, well there's nothing that special about it... In the meantime you can just use a separate tool like certbot to provision from an ACME provider. You just need the files and any direct ACME integration with services (like you'd find with Caddy) is an additional convenience, but not essential 🤷‍♂️

Spot on explanation about everything regarding this topic. Thank you very much!

The content of this comment should be right there in the documentation!

@Keksoj
Copy link
Contributor

Keksoj commented Nov 15, 2023

As of today there is no direct implementation of let's encrypt in Sōzu, we recommend using ordinary tools like the certbot.

Thank you @theAkito and @polarathene for the review of the documentation 👍 could you sum up what needs to be added to the documentation and/or configuration ? Since I use Sōzu on a daily basis I tend to forget where info is needed first and foremost.

@theAkito
Copy link

Thank you @theAkito and @polarathene for the review of the documentation 👍 could you sum up what needs to be added to the documentation and/or configuration ? Since I use Sōzu on a daily basis I tend to forget where info is needed first and foremost.

I think, it would be pretty easy to just look at a good Let's Encrypt guide for NGINX and then translate to how the same thing would work for this product.

For example, a simple Let's Encrypt configuration, plus a semi-customised one, then a very complicated custom Let's Encrypt configuration, where all possible TLS-related Sōzu directives are used & explained, one by one.
If the user can just copy & paste the configuration from one of the examples, with minimal adjustments, the examples are perfect.

Something like, "this is how you would do XY in NGINX, now here is how you do it in Sōzu...." would also be great.

Pretty sure most people come from popular reverse proxies like NGINX and with Kubernetes etc. NGINX has probably become way more popular than Apache.

All this should be an extra page/file in the documentation, solely dedicated to Let's Encrypt, simply because it's what most average non-enterprise reverse proxy users use.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement integration oscp
Projects
None yet
Milestone
v1.1.0
Development

No branches or pull requests
5 participants
@Geal @polarathene @theAkito @Keksoj @Th3Whit3Wolf