I’ve seen in the doc that the recommended way of adding transport security is to use a reverse proxy with SSL termination such as Nginx.
However, what is the recommended approach for binary clients? Does the binary protocol have its own built in encryption or does it also need an additional layer? Specifically, what is the recommended best practice for exposing the binary protocol port over a public network?
Cheers,
Kristian
It depends. There is an SSL protocol if configured. Can you explain
more about your requirements?
In short, I’d like to connect to an eventstore cluster over a public network using a binary client (in this case Java).
I’m trying to understand if this can be done safely, in a way that prevents snooping on the credentials or messages being sent, or if I need to introduce other mechanisms such as ssh tunnels to do this.
Event store itself supports SSL over the binary protocol, I have not
tried setting this up with the java client previously. I would put up
an issue on the jvm client github asking if it can be done. To setup
ssl for tcp you need to specify certificates and setup the secure
external port.
In practice if having cloud nodes etc I would ssh tunnel as opposed to
opening up to the internet in most cases. Attack surface area etc
being the reasoning.
Cheers,
Greg