Skip to content

Commit 4a02aa6

Browse files
kamilmysliwieckamilmysliwiec
committed
Merge branch 'feat/microservice-tcp-tls' of https://github.com/Flusinerd/docs.nestjs.com into Flusinerd-feat/microservice-tcp-tls
2 parents 467c189 + e6747e9 commit 4a02aa6

File tree

1 file changed

+87
-0
lines changed

1 file changed

+87
-0
lines changed

content/microservices/basics.md

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -410,3 +410,90 @@ this.client
410410
> info **Hint** The `timeout` operator is imported from the `rxjs/operators` package.
411411
412412
After 5 seconds, if the microservice isn't responding, it will throw an error.
413+
414+
#### TLS support
415+
416+
Whenever we leave a private network we should encrypt our traffic. Nest supports TLS over TCP with the default TCP client by utilizing Nodes [TLS](https://nodejs.org/api/tls.html) module. In order to use TLS we need to pass `useTls: true` to the options.
417+
418+
For creating a TLS Server we need to create or obtain a private key in PEM format as well as a certificate in PEM format and add it to the servers options:
419+
420+
```typescript
421+
import * as fs from 'fs';
422+
423+
async function bootstrap() {
424+
const key = fs.readFileSync(<pathToKeyFile>);
425+
const cert = fs.readFileSync(<pathToCertFile>);
426+
const app = await NestFactory.createMicroservice<MicroserviceOptions>(AppModule,
427+
{
428+
transport: Transport.TCP,
429+
options: {
430+
useTls: true,
431+
key,
432+
cert
433+
}
434+
});
435+
await app.listen();
436+
}
437+
```
438+
439+
A TCP TLS client can be created using the same approach as the TCP client from above, but we need to set `useTls = true` as well.
440+
The client will fetch the servers certificate by default:
441+
442+
```typescript
443+
@Module({
444+
imports: [
445+
ClientsModule.register([
446+
{ name: 'MATH_SERVICE', transport: Transport.TCP, options: { useTls: true} },
447+
]),
448+
]
449+
...
450+
})
451+
452+
```
453+
454+
If we are using self-signed certificates we need to pass the CA(s) in PEM format to our client as well:
455+
456+
```typescript
457+
import * as fs from 'fs';
458+
459+
const ca = fs.readFileSync(<pathToCAFile>);
460+
461+
@Module({
462+
imports: [
463+
ClientsModule.register([
464+
{ name: 'MATH_SERVICE',
465+
transport: Transport.TCP,
466+
options: { useTls: true, ca}
467+
},
468+
]),
469+
]
470+
...
471+
})
472+
```
473+
474+
We can also pass an array of CAs to the Client:
475+
476+
```typescript
477+
import * as fs from 'fs';
478+
479+
const ca1 = fs.readFileSync(<pathToCAFile1>);
480+
const ca2 = fs.readFileSync(<pathToCAFile2>);
481+
482+
@Module({
483+
imports: [
484+
ClientsModule.register([
485+
{ name: 'MATH_SERVICE',
486+
transport: Transport.TCP,
487+
options: { useTls: true, ca: [ca1, ca2]}
488+
},
489+
]),
490+
]
491+
...
492+
})
493+
```
494+
495+
Then we can inject the `ClientProxy` as usual using `@Inject('MATH_SERVICE')`
496+
497+
For further information refer to Nodes [TLS](https://nodejs.org/api/tls.html) module:
498+
The server uses the `createServer(options)` method.
499+
The client uses the `TLSSocket()` constructor.

0 commit comments

Comments
 (0)