Skip to content

Commit e6747e9

Browse files
FlusinerdFlusinerd
committed
feat(microservice): add TLS over TCP support
add TLS support documentation
1 parent 200d477 commit e6747e9

File tree

1 file changed

+87
-0
lines changed

1 file changed

+87
-0
lines changed

content/microservices/basics.md

Lines changed: 87 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -375,3 +375,90 @@ this.client
375375
> info **Hint** The `timeout` operator is imported from the `rxjs/operators` package.
376376
377377
After 5 seconds, if the microservice isn't responding, it will throw an error.
378+
379+
#### TLS support
380+
381+
Whenever we leave a private network we should encrypt our traffic. Nest supports TLS over TCP with the default TCP client by utilizing Nodes [TLS](https://nodejs.org/api/tls.html) module. In order to use TLS we need to pass `useTls: true` to the options.
382+
383+
For creating a TLS Server we need to create or obtain a private key in PEM format as well as a certificate in PEM format and add it to the servers options:
384+
385+
```typescript
386+
import * as fs from 'fs';
387+
388+
async function bootstrap() {
389+
const key = fs.readFileSync(<pathToKeyFile>);
390+
const cert = fs.readFileSync(<pathToCertFile>);
391+
const app = await NestFactory.createMicroservice<MicroserviceOptions>(AppModule,
392+
{
393+
transport: Transport.TCP,
394+
options: {
395+
useTls: true,
396+
key,
397+
cert
398+
}
399+
});
400+
await app.listen();
401+
}
402+
```
403+
404+
A TCP TLS client can be created using the same approach as the TCP client from above, but we need to set `useTls = true` as well.
405+
The client will fetch the servers certificate by default:
406+
407+
```typescript
408+
@Module({
409+
imports: [
410+
ClientsModule.register([
411+
{ name: 'MATH_SERVICE', transport: Transport.TCP, options: { useTls: true} },
412+
]),
413+
]
414+
...
415+
})
416+
417+
```
418+
419+
If we are using self-signed certificates we need to pass the CA(s) in PEM format to our client as well:
420+
421+
```typescript
422+
import * as fs from 'fs';
423+
424+
const ca = fs.readFileSync(<pathToCAFile>);
425+
426+
@Module({
427+
imports: [
428+
ClientsModule.register([
429+
{ name: 'MATH_SERVICE',
430+
transport: Transport.TCP,
431+
options: { useTls: true, ca}
432+
},
433+
]),
434+
]
435+
...
436+
})
437+
```
438+
439+
We can also pass an array of CAs to the Client:
440+
441+
```typescript
442+
import * as fs from 'fs';
443+
444+
const ca1 = fs.readFileSync(<pathToCAFile1>);
445+
const ca2 = fs.readFileSync(<pathToCAFile2>);
446+
447+
@Module({
448+
imports: [
449+
ClientsModule.register([
450+
{ name: 'MATH_SERVICE',
451+
transport: Transport.TCP,
452+
options: { useTls: true, ca: [ca1, ca2]}
453+
},
454+
]),
455+
]
456+
...
457+
})
458+
```
459+
460+
Then we can inject the `ClientProxy` as usual using `@Inject('MATH_SERVICE')`
461+
462+
For further information refer to Nodes [TLS](https://nodejs.org/api/tls.html) module:
463+
The server uses the `createServer(options)` method.
464+
The client uses the `TLSSocket()` constructor.

0 commit comments

Comments
 (0)