-
How to check if incoming connection is TLS?
I have a situation where I want users to connect using TLS, but I want my kdb procs to also permit plain connection so a “-E 1” is specified on the proc.
The problem is, I want to enforce users to use TLS to connect to my app, but I don’t know how I can check to see if a connection has been opened using TLS.
For example, when someone uses the InteliJ plugin to connect to my kdb proc I want to check if the user is an LDAP user (I have this specified in a csv config) an then I want to check if the connection is using TLS. If user is LDAP, but no TLS, reject connection.
I know that if a connection comes from a kdb proc, I can use “.z.e”.
Is this even possible? If it is not possible, does this mean I will have to use a 2-way verification in which client verifies server certs and server verify client certs?
-
1 Reply
-
I’d recommend setting up a proxy, such as Nginx or HAProxy, configured for SSL/TLS termination between external users and your kdb+ application. This setup is typically handled by a network or DevOps engineer. Users would connect securely to the proxy via TLS, and after decrypting the TLS connection, the proxy forwards the request to your kdb+ process over a plain (non-TLS) connection. This approach allows your kdb+ instance to continue operating without the complexities of managing TLS connections directly, while the proxy handles all encryption-related tasks and adds an additional layer of security. Within your kdb+ process, you can then perform checks to determine if the user is in a specify LDAP group or whatever the requirement is.
Log in to reply.