TLS-enabled communication between intake client and intake server

Question

Within intake official documentation, it mention

Authorization plugins are classes that can be used to customize access permissions to the Intake catalog server. The Intake server and client communicate over HTTP, so when security is a concern, the most important step to take is to put a TLS-enabled reverse proxy (like nginx) in front of the Intake server to encrypt all communication.

Can you advise any example on how to implement nginx in front of intake server ? What kind of nginx setup is required.

Answer 1

It would take a small amount of work to enable HTTPS directly in the Intake server - basically allowing the setting of certificates in this line (example args like https://stackoverflow.com/a/18307308/3821154 ).

However, while this is not available, you need SSL termination at a proxy; and you might need to make your own certificates. This is a common use for proxies, and you can find many guides like:

• https://docs.nginx.com/nginx/admin-guide/security-controls/terminating-ssl-http/
• https://docs.traefik.io/routing/routers/#tls

These can be used in docker or any other isolated network - i.e., that the port opened by Intake is only accessible internally, not from the outside world, and it's the proxy's port which is exposed.