Skip to content

Securing NSQ with TLS and Auth

Jud White edited this page Aug 23, 2015 · 10 revisions

Note: This document is still being worked on as of 2015-08-23. It's currently a scratch pad for a tutorial.

To generate a new public/private key pair:

openssl req -x509 -newkey rsa:2048 -keyout privatekey.pem -out cert.pem -days 3650 -nodes

Tip: Make sure the Common Name is your hostname or FQDN, whichever you'll be using to connect to nsqd.

To allow nsqd to accept TLS upgrade requests:

nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem"

To enforce TLS:

nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem" -tls-required=1

Note: -tls-required=1 effectively shuts off the HTTP endpoint.

To listen on HTTPS:

nsqd -tls-cert="cert.pem" -tls-key="privatekey.pem" -tls-required=1 -https-address=0.0.0.0:4152

To convert a public/private key pair in PEM format to PKCS#12:

openssl pkcs12 -inkey privatekey.pem -in cert.pem -export -out nsq.pfx

Convert PKSC#12 to PEM:

openssl pkcs12 -in nsq.pfx -out keystore.pem -nodes
openssl pkcs12 -in nsq.pfx -out cert.pem -nodes -nokeys
openssl pkcs12 -in nsq.pfx -out privatekey.pem -nodes -nocerts

Resources:

Windows:

More Windows:

Clone this wiki locally