Reference Issues
No response
Summary
(Note: This issue was drafted with the assistance of AI translation to ensure clarity. Please feel free to suggest improvements to the wording or technical details. Thanks!)
I propose adding configuration options to disable mutual TLS (mTLS) for connections between the backend and nodes, while falling back to the existing JWT-based authentication. This is essential for deployment on certain PaaS platforms (e.g., Heroku, Railway, Render) where inbound connections must go through the platform's managed reverse proxy, which handles TLS termination and makes direct mTLS connections impossible. The change would allow the system to maintain security via HTTPS and JWT in such constrained environments, increasing deployment flexibility without compromising core authentication.
Basic Example
The feature involves two complementary configuration options:
-
Backend Configuration (DISABLE_MTLS=true):
- When this flag is set, the backend would accept standard HTTPS connections on its listener.
- Server-side TLS would remain enabled for encryption.
- The requirement for client certificate authentication (mTLS) would be disabled.
- Node identity and authorization would instead be verified using the existing JWT tokens from request headers.
-
Node-side Configuration (e.g., NODE_DISABLE_MTLS=true):
- A corresponding flag for node agents to disable sending client certificates.
- Nodes would connect to the backend via standard HTTPS, continuing to present their JWT token for authentication as they do now.
- This allows nodes to operate through an external reverse proxy that terminates TLS.
Use Case: A user deploys the backend on a platform like Heroku. Heroku's routing layer terminates TLS and forwards requests via HTTP to the backend container. Currently, the mTLS handshake fails because the client certificate cannot be presented through this layer. Enabling DISABLE_MTLS would let the backend accept the proxied HTTP/HTTPS connection and authenticate the node via its JWT token instead.
Drawbacks
- Reduced Security Posture: Disabling mTLS removes a strong layer of mutual authentication based on certificates. The security model would then rely solely on the strength of TLS (server certificate) and JWT secrets, which might be considered less robust than a combined mTLS+JWT approach in a fully controlled network environment.
- Increased Configuration Complexity: Introducing an optional mode adds another configuration dimension to test, document, and support. It could lead to environment-specific bugs if the configuration is not applied consistently between the backend and all nodes.
- Potential for Misconfiguration: If enabled in an environment where direct mTLS connections are possible (e.g., on a private VPS), it might inadvertently lower the security level if operators choose the simpler but less secure path. Clear documentation on appropriate use cases is essential.
Unresolved questions
Reference Issues
No response
Summary
(Note: This issue was drafted with the assistance of AI translation to ensure clarity. Please feel free to suggest improvements to the wording or technical details. Thanks!)
I propose adding configuration options to disable mutual TLS (mTLS) for connections between the backend and nodes, while falling back to the existing JWT-based authentication. This is essential for deployment on certain PaaS platforms (e.g., Heroku, Railway, Render) where inbound connections must go through the platform's managed reverse proxy, which handles TLS termination and makes direct mTLS connections impossible. The change would allow the system to maintain security via HTTPS and JWT in such constrained environments, increasing deployment flexibility without compromising core authentication.
Basic Example
The feature involves two complementary configuration options:
Backend Configuration (
DISABLE_MTLS=true):Node-side Configuration (e.g.,
NODE_DISABLE_MTLS=true):Use Case: A user deploys the backend on a platform like Heroku. Heroku's routing layer terminates TLS and forwards requests via HTTP to the backend container. Currently, the mTLS handshake fails because the client certificate cannot be presented through this layer. Enabling
DISABLE_MTLSwould let the backend accept the proxied HTTP/HTTPS connection and authenticate the node via its JWT token instead.Drawbacks
Unresolved questions