Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

document TLS termination and subgraph override #3436

Merged
merged 8 commits into from
Aug 2, 2023
Merged
Show file tree
Hide file tree
Changes from 5 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
5 changes: 5 additions & 0 deletions .changesets/docs_geal_document_tls.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
### document TLS termination and subgraph override ([Issue #3100](https://github.com/apollographql/router/issues/3100))

TLS termination was added in #2614 but never documented, and subgrpah certificate override was added in #2008 but the documentation was missing some details on self signed certificates.
Geal marked this conversation as resolved.
Show resolved Hide resolved

By [@Geal](https://github.com/Geal) in https://github.com/apollographql/router/pull/3436
62 changes: 62 additions & 0 deletions docs/source/configuration/overview.mdx
Original file line number Diff line number Diff line change
Expand Up @@ -514,6 +514,42 @@ See [Tracing in the Apollo Router](./tracing/).

### TLS

#### TLS termination

Clients can connect to the router directly over HTTPS, without terminating TLS in an intermediary. It can be configured under the `tls` configuration section:
Geal marked this conversation as resolved.
Show resolved Hide resolved

```yaml
tls:
supergraph:
certificate: ${file./path/to/certificate.pem}
certificate_chain: ${file./path/to/certificate_chain.pem}
key: ${file./path/to/key.pem}
```

The file referenced in the `certificate_chain` value is expected to be the combination of several PEM certificates, concatenated together into a single file (as is commonplace with Apache TLS configuration).
Geal marked this conversation as resolved.
Show resolved Hide resolved

Supported TLS versions:
Geal marked this conversation as resolved.
Show resolved Hide resolved
* TLS 1.2
* TLS 1.3

Supported ciphersuites:
Geal marked this conversation as resolved.
Show resolved Hide resolved
* TLS13_AES_256_GCM_SHA384
* TLS13_AES_128_GCM_SHA256
* TLS13_CHACHA20_POLY1305_SHA256
* TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
* TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
* TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
* TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256

Supported key exchange groups:
* X25519
* SECP256R1
* SECP384R1

#### Overriding certificate authorities for subgraphs

TLS connections to subgraphs are verified using the list of certificate authorities provided by the system. You can override this list with a combination of global and per-subgraph settings:
Geal marked this conversation as resolved.
Show resolved Hide resolved

```yaml title="router.yaml"
Expand All @@ -528,6 +564,32 @@ tls:
certificate_authorities: "${file./path/to/product_ca.crt}"
```

The file referenced in the `certificate_authorities` value is expected to be the combination of several PEM certificates, concatenated together into a single file (as is commonplace with Apache TLS configuration).
Geal marked this conversation as resolved.
Show resolved Hide resolved

These certificates are only configurable via the Router's configuration since using SSL_CERT_FILE would also override certificates for sending telemetry and communicating with Apollo Uplink.
Geal marked this conversation as resolved.
Show resolved Hide resolved

**Note**: If the subgraph is presenting a self-signed certificate, it must be generated with the proper file extension and with `basicConstraints` disabled.
Geal marked this conversation as resolved.
Show resolved Hide resolved
It can be generated with the following command line from a certificate signing request (in this example, `server.csr`):
Geal marked this conversation as resolved.
Show resolved Hide resolved

```
openssl x509 -req -in server.csr -signkey server.key -out server.crt -extfile v3.ext
```

And a `v3.ext` extension file like this, by changing the `subjectAltName` field to the subgraph's name:
Geal marked this conversation as resolved.
Show resolved Hide resolved

```
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
# this has to be disabled
# basicConstraints = CA:TRUE
keyUsage = digitalSignature, nonRepudiation, keyEncipherment, dataEncipherment, keyAgreement, keyCertSign
subjectAltName = DNS:local.apollo.dev
issuerAltName = issuer:copy
```

Geal marked this conversation as resolved.
Show resolved Hide resolved
This will produce the file as server.crt which can be used in `certificate_authorities`.
Geal marked this conversation as resolved.
Show resolved Hide resolved


### Request limits

> **Request limits are currently in [preview](/resources/product-launch-stages#preview).**
Expand Down