Monitor support for TCP ports that use TLS/STARTTLS #4806
Conversation
mrubli
force-pushed
the
feature/tcp-tls
branch
3 times, most recently
from
ff7e21a
to
2d1adce
Compare
This comment was marked as resolved.
This comment was marked as resolved.
Sorry, something went wrong.
CommanderStorm
added
area:monitor
Thanks for the fast turnaround time! I was going to mark it as ready once all the checks have passed but you beat me to it. :-)
Great, I'll work on those.
I have some local test cases for development that I should be able to integrate. Currently they are against my personal mail server but it should be possible to just use the SMTP or IMAP servers of a big email provider for those. I'll think about what the best option is. |
|
One thing which I forgot to ask: this seems like a superset of the existing |
For the looks of it that would be possible. The current "TCP Port" monitor uses the tcp-ping library which also just uses a socket. Instead of reading/sending anything it just disconnects immediately. Seems like a superset indeed. Btw, for addressing review comments, do you prefer it if I create separate commits, so that it's easy to see what changed, and in the end we squash/fixup the original commits? Or do you want me to use fixup as I go? |
Do this as you prefer. No need to squash/rebase/.. anything, I will do that at the end in any case |
In this case, lets not keep two monitors with so similar functionality around. |
Sounds like a plan. I'll work on the other stuff first and will merge the two monitors at the end. In the meantime, if you have any suggestions on how to best arrange the UI, please let me know. Otherwise I'll just go with my intuition for now. |
mrubli
force-pushed
the
feature/tcp-tls
branch
4 times, most recently
from
490d868
to
d717a78
Compare
@CommanderStorm I've added a couple of initial test cases: d717a78 |
| return knex.schema | ||
| .alterTable("monitor", function (table) { | ||
| table.text("tcp_request").defaultTo(null); | ||
| table.boolean("tcp_enable_tls").notNullable().defaultTo(false); |
There was a problem hiding this comment.
lets use the regular tls boolean field instead (no need to have a second field for this)
There was a problem hiding this comment.
Probably I'm missing something but I can't find a "regular tls boolean field". The only fields containing tls in the name are:
grpc_enable_tls (boolean)
ignore_tls (boolean)
tls_ca (text)
tls_cert (text)
tls_key (text)
ignore_tls could conceivably be abused for this but it stands for "Ignore TLS/SSL errors for HTTPS websites", so that would seem a bit of a stretch.
There was a problem hiding this comment.
I see where you are coming from. The grpc field should not exist.
In an ideal world, both (tcp grpc) of these monitoes would use the same mechanism as http:
expiryNotifcationcontrols if tls expiry is a notificationignoreTlscontrols if tls errors are notifications
Being transparent:
The crosstalk (expiry is currently an tls error 😅) between the two options is a bit unfortunate and not clear to our users.
There was a problem hiding this comment.
I plan to eventually add support for expiry_notification and ignore_tls (which should really be called ignore_tls_errors) because that has been requested in the original PR as well. But I might do that as a separate PR because there's always "just one more feature" that could be added to any PR. :-)
The two options do have a very different function, though, so if it's not clear to users, that seems like a documentation issue. Sometimes a bit of explanatory text in the UI can go a long way.
As for the "enable TLS" setting, what do you suggest as the way forward? Is renaming grpc_enable_tls to enable_tls a possibility as part of the DB migration? If so, at least GRPC and TCP could use the same setting. Otherwise that would leave us with the generic name enable_tls (which other monitors could use down the line) or the monitor-specific tcp_enable_tls
There was a problem hiding this comment.
I might do that as a separate PR
Good choice 👍🏻
that seems like a documentation issue
Definitvely. Also the expiry buttons could be disabled if tls is ignored (different issue)
Is renaming
grpc_enable_tlstoenable_tlsa possibility as part of the DB migration?
I think this should be merged into ignore_tls(_errors) instead.
(I agree on the renaming, but lets keep this PR focused on one thing..)
I don't think a separate enable_tls needs to exist, right?
There was a problem hiding this comment.
(NOT ignore_tls[_errors] seems equivalent to grpc_enable_tls)
There was a problem hiding this comment.
With the TLS monitor as it is right now, enable_tls == true is implied. But once I merge it with the TCP monitor, we'll definitely need to have a setting that determines how to connect:
enable_tls == false⇒ unencrypted connection (= TCP monitor today)enable_tls == true && tcp_start_tls == false⇒ Native TLS connectionenable_tls == true && tcp_start_tls == true⇒ Start off unencrypted, TLS after STARTTLS handshake
Once implemented (separate PR), the two existing settings would become relevant for the merged TCP/TLS monitor as well:
ignore_tls[_errors]: Don't fail on TLS errors like "wrong host", "self-signed certificate", etc.
expiry_notification: Warn if the certificate is going to expire soon.
Having the migration alone is sufficient.
Co-authored-by: Frank Elsinga <[email protected]>
|
I've rebased the PR onto the latest For future reference, the check failure on "ARM64, 18" might be related to nodejs/node#46959. |
github-actions
bot
added
the
pr:please resolve merge conflict
Description
This adds support for TCP ports that use either native TLS or STARTTLS-initiated TLS.
I had previously started a PR (#1626) that seemed to trigger people's interest but ultimately went nowhere. This is a complete rewrite for the latest development branch and now comes with STARTTLS support since that was requested in the original PR discussion. I've also renamed the monitor to "TCP Port (TLS)" as suggested by @louislam at the time.
Fixes #1079
Type of change
Please delete any options that are not relevant.
Checklist
Screenshots