OrgGo
/
Mainflux.mainflux
mirror of https://github.com/mainflux/mainflux.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

NOISSUE - fix security doc (#897) 

Signed-off-by: Manuel Imperiale <manuel.imperiale@gmail.com>
This commit is contained in:
Manuel Imperiale 2019-10-21 15:02:21 +02:00 committed by Dušan Borovčanin
parent ddbf172ed5
commit 1da48afc4c
2 changed files with 32 additions and 35 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

62
docs/security.md
View File

@ -1,9 +1,37 @@
## Server configuration
### Securing PostgreSQL connections
### Users
If either the cert or key is not set, the server will use insecure transport.
`MF_USERS_SERVER_CERT` the path to server certificate in pem format.
`MF_USERS_SERVER_KEY` the path to the server key in pem format.
### Things
If either the cert or key is not set, the server will use insecure transport.
`MF_THINGS_SERVER_CERT` the path to server certificate in pem format.
`MF_THINGS_SERVER_KEY` the path to the server key in pem format.
## Client configuration
If you wish to secure the gRPC connection to `things` and `users` services you must define the CAs that you trust. This does not support mutual certificate authentication.
### Adapter configuration
`MF_HTTP_ADAPTER_CA_CERTS`, `MF_MQTT_ADAPTER_CA_CERTS`, `MF_WS_ADAPTER_CA_CERTS`, `MF_COAP_ADAPTER_CA_CERTS` - the path to a file that contains the CAs in PEM format. If not set, the default connection will be insecure. If it fails to read the file, the adapter will fail to start up.
### Things
`MF_THINGS_CA_CERTS` - the path to a file that contains the CAs in PEM format. If not set, the default connection will be insecure. If it fails to read the file, the service will fail to start up.
## Securing PostgreSQL connections
By default, Mainflux will connect to Postgres using insecure transport.
If a secured connection is required, you can select the SSL mode and set paths to any extra certificates and keys needed.
If a secured connection is required, you can select the SSL mode and set paths to any extra certificates and keys needed.
`MF_USERS_DB_SSL_MODE` the SSL connection mode for Users.
`MF_USERS_DB_SSL_CERT` the path to the certificate file for Users.
@ -21,33 +49,3 @@ Supported database connection modes are: `disabled` (default), `required`, `veri
By default gRPC communication is not secure as Mainflux system is most often run in a private network behind the reverse proxy.
However, TLS can be activated and configured.
### Server configuration
#### Users
If either the cert or key is not set, the server will use insecure transport.
`MF_USERS_SERVER_CERT` the path to server certificate in pem format.
`MF_USERS_SERVER_KEY` the path to the server key in pem format.
#### Things
If either the cert or key is not set, the server will use insecure transport.
`MF_THINGS_SERVER_CERT` the path to server certificate in pem format.
`MF_THINGS_SERVER_KEY` the path to the server key in pem format.
### Client configuration
If you wish to secure the gRPC connection to `things` and `users` services you must define the CAs that you trust. This does not support mutual certificate authentication.
#### Adapter configuration
`MF_HTTP_ADAPTER_CA_CERTS`, `MF_MQTT_ADAPTER_CA_CERTS`, `MF_WS_ADAPTER_CA_CERTS`, `MF_COAP_ADAPTER_CA_CERTS` - the path to a file that contains the CAs in PEM format. If not set, the default connection will be insecure. If it fails to read the file, the adapter will fail to start up.
#### Things
`MF_THINGS_CA_CERTS` - the path to a file that contains the CAs in PEM format. If not set, the default connection will be insecure. If it fails to read the file, the service will fail to start up.

5
mkdocs.yml
View File

@ -31,9 +31,8 @@ pages:
- Messaging: messaging.md
- Storage: storage.md
- LoRa: lora.md
- Security:
- Secure communication: security.md
- Authentication: authentication.md
- Security: security.md
- Authentication: authentication.md
- CLI: cli.md
- Bootstrap: bootstrap.md
- Tracing: tracing.md