Deactivate SSL on the dashboard when in **non** --insecure mode

Hey just a quick question, as the docs nowhere state if there is an option or not.

For the dashboard (the one running on 8080), when running in secure mode this gets ssl encrypted as well. This is however in my case unwanted. I have a ssl terminating loadbalancer, that provides a valid ssl certificate, so that this interface is not presented with a self signed certificate.

In my case I deploy crdb via Rancher, and by default without tweaking stuff, the haproxy in front does SSL termination and expects the backend to not being encrypted anymore. Which would be totally fine though.

If there is an option to disable dashboard encryption once and for all without disabling the rest of the secure setup, I would be greatful if you would me tell though. If there is no option, I will add an feature request on the github tracker.

Thanks in advance.

There is currently no way to do this but it may be reasonable to add. Security-wise, as long as the port is only accessible through the proxy it should be fine.

Another option would be to allow separate node and admin UI certificates (partially mentioned in https://github.com/cockroachdb/cockroach/issues/14272) in which case the load balancer could just do tcp-level forwarding.

I don’t know Rancher, but can you configure HAProxy to use SSL to the backends? Since HAProxy version 1.5 you can add the ssl modifier to your backend server lines (example).

For now, the admin UI is read-only so it might be reasonable for you to turn off SSL on this port. However, we’re planning to introduce more advanced features that could be harmful if abused and security best practices would require that you run SSL at every level, including between HAProxy and the CockroachDB server.

Also, if you do want to disable SSL on the admin UI port without waiting for changes to CockroachDB itself, you can put an stunnel in front of it. I have a script to do just that to avoid “unknown certificate authority” issues with some tools.

Yes, ik. But for rancher you need custom backend configs to customize the setup of the backend, and I like to avoid that when possible. The port is however naturally only accessable to the loadbalancer which itself serve in SSL again.

And about the traffic between cockroach and HAProxy, this wont change. Security wise the setup does already encrypt any traffic in the internal network anyway though. SSL would just be an additional not really needed encryption for the internal network. Of course this is also again a topic for discussion though, can you trust your network, if no encrypt it, if yes don’t do it. For my side any traffic internally is encrypted in the overlay network anyway.

And about the stunnel, I asked here to avoid workarounds :), I have already the nasty tweaking in place which is just a manual config of a backend, which I want to avoid whenever possible though.

And @marc about the tcp-level forwarding. Not an option, as this forces to open a dedicated port for just another web interface instead as treating it as just another domain. The same goes for SNI forwarding, when everything else is handled with SSL terminiation though.

@wzrdtales Just created a new issue for you. Feel free to add thoughts as necessary.

https://github.com/cockroachdb/cockroach/issues/17046