Securing Thanos gRPC interfaces with TLS and nginx

Using nginx as a reverse proxy for HTTP(S) requests is one of its most widely used functions.

It is also possible to use nginx as a reverse proxy for gRPC requests in a similar manner, starting from nginx version 1.13.10. It might be useful, for example, when securing Thanos API endpoints, which use gRPC instead of HTTP.

Here is a small snippet of what that configuration might look like:

server {
    listen      443 ssl http2;
    server_name host.local;

    ssl_verify_client      on;
    ssl_verify_depth       2;
    ssl_certificate        /etc/nginx/tls/server.pem;
    ssl_certificate_key    /etc/nginx/tls/server.key;
    ssl_client_certificate /etc/nginx/tls/client_ca.pem;

    location / {
        grpc_pass grpc://127.0.0.1:10901;
    }
}

To break it down:

  • listen 443 ssl http2 - Enable SSL and HTTP2 on the nginx server block on port 443. gRPC uses HTTP/2 for transport.
  • Set up connection encryption by specifying TLS certificate and key
  • Require client authentication and specify client certificate CA
  • Proxy requests on / to a gRPC interface by specifying grpc_pass much the same way one would do with proxy_pass.