You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Adding a tls: true section to twemproxy pool configuration files
Adding a ./configure option to depend on openssl
Changing callers of nc_write/nc_writev to call a helper method for the nc_conn instead
The text was updated successfully, but these errors were encountered:
TysonAndre
changed the title
Look into support for tls connections to memcached/redis servers
Look into support for secure TLS connections to memcached/redis servers
Aug 12, 2021
Just as an example of how this could be useful / enable new use cases:
We're using Google's Memorystore for Redis. Unfortunately, its network connection patterns require the instances to be exposed to our whole (large) VPC. For security, we use TLS and Redis AUTH commands. However, handling that that puts some load on developers of services which use Redis.
These services run in Kubernetes with Istio, so we were looking into deploying Twemproxy into each cluster and having it handle the TLS termination and AUTH strings and letting services running in the clusters just connect without authentication or TLS, with the access policy being handled by Istio. However, the lack of TLS support is kind of blocking this use case for us.
for AWS ElastiCache for Redis, AUTH is only possible over TLS, so this is also something we would love to have so we can use ElastiCache with AUTH as there is no way to use it without TLS :(
Also for our usecase twemproxy terminating TLS connections from caching backends would be cools as our caching servers are available on internet and for then obvious security reason should only communicate inside TLS connections.
Resources:
https://github.com/memcached/memcached/blob/master/testapp.c
https://wiki.openssl.org/index.php/SSL/TLS_Client
https://www.openssl.org/docs/man1.0.2/man3/SSL_CTX_new.html
Related to #583
This would probably be done by
tls: true
section to twemproxy pool configuration files./configure
option to depend on opensslThe text was updated successfully, but these errors were encountered: