KX Community

Find answers, ask questions, and connect with our KX Community around the world.
KX Community Guidelines

Home Forums kdb+ How to check if incoming connection is TLS?

Tagged: , ,

  • How to check if incoming connection is TLS?

    Posted by user931206 on July 10, 2024 at 9:09 am

    I have a situation where I want users to connect using TLS, but I want my kdb procs to also permit plain connection so a “-E 1” is specified on the proc.

    The problem is, I want to enforce users to use TLS to connect to my app, but I don’t know how I can check to see if a connection has been opened using TLS.

    For example, when someone uses the InteliJ plugin to connect to my kdb proc I want to check if the user is an LDAP user (I have this specified in a csv config) an then I want to check if the connection is using TLS. If user is LDAP, but no TLS, reject connection.

    I know that if a connection comes from a kdb proc, I can use “.z.e”.

    Is this even possible? If it is not possible, does this mean I will have to use a 2-way verification in which client verifies server certs and server verify client certs?

    jlucid replied 1 month, 1 week ago 2 Members · 1 Reply
  • 1 Reply
  • jlucid

    Member
    August 23, 2024 at 9:16 am

    I’d recommend setting up a proxy, such as Nginx or HAProxy, configured for SSL/TLS termination between external users and your kdb+ application. This setup is typically handled by a network or DevOps engineer. Users would connect securely to the proxy via TLS, and after decrypting the TLS connection, the proxy forwards the request to your kdb+ process over a plain (non-TLS) connection. This approach allows your kdb+ instance to continue operating without the complexities of managing TLS connections directly, while the proxy handles all encryption-related tasks and adds an additional layer of security. Within your kdb+ process, you can then perform checks to determine if the user is in a specify LDAP group or whatever the requirement is.


Log in to reply.