Securing Thanos gRPC interfaces with TLS and nginx
Using nginx as a reverse proxy for HTTP(S) requests is one of its most widely used functions.
It is also possible to use nginx as a reverse proxy for gRPC requests in a similar manner, starting from nginx version 1.13.10. It might be useful, for example, when securing Thanos API endpoints, which use gRPC instead of HTTP.
Here is a small snippet of what that configuration might look like:
server {
listen 443 ssl http2;
server_name host.local;
ssl_verify_client on;
ssl_verify_depth 2;
ssl_certificate /etc/nginx/tls/server.pem;
ssl_certificate_key /etc/nginx/tls/server.key;
ssl_client_certificate /etc/nginx/tls/client_ca.pem;
location / {
grpc_pass grpc://127.0.0.1:10901;
}
}
To break it down:
listen 443 ssl http2
- Enable SSL and HTTP2 on the nginx server block on port 443. gRPC uses HTTP/2 for transport.- Set up connection encryption by specifying TLS certificate and key
- Require client authentication and specify client certificate CA
- Proxy requests on
/
to a gRPC interface by specifyinggrpc_pass
much the same way one would do withproxy_pass
.