Add a force_tls_destination flag for forcing secure connection to destination
#148
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The use case
The problem
I know that I can import a certificate that my system trusts and establish 2 TLS sessions (app <> grpc-dump and grpc-dump <> remote server), but that's additional hassle. I'd much rather connect insecurely my app to grpc-dump, and then have grpc-dump connect securely to the remote server.
This, ofc, assumes I have the power to change my app's code and allow it to create plain text connections to a server. Whereas I agree that this is not the most correct and black-box way to do it, I think it's much more convenient for a lot of people.
Solution
Add a flag to the cli that forces grpc-dump to establish a TLS connection even if the original connection it is trying to relay is plain text.
Default value: false
If the value is false at runtime, only use TLS if the original request was also TLS secured.
Any input is appreciated, and I'm sorry if the code is not perfect - this is my first Go code :)
I hope you'll find this feature useful or interested. Or not, I'll keep it to myself :)