Posts Tagged: ‘gRPC’

node.js, domino-db & Docker (13): Logging gRPC requests

29. November 2018 Posted by Sven Hasselbach

For logging the gRPC requests you can use nginx as a reverse proxy. gRPC support was added in version 1.13.10.

To install it locally on your Domino server (RHEL), open a terminal and do the following:

1. Identify which version you are running

cat /etc/redhat-release

The resulting output tells you which major version you are using:

[notes@redhat-dev-hq /]$ cat /etc/redhat-release 
Red Hat Enterprise Linux Server release 7.6 (Maipo)

2. Add the nginx repository

sudo vi /etc/yum.repos.d/nginx.repo

3. Add the repo data

name=nginx repo

The „7“ in the base url is the major version from step 1.

4. Install nginx

sudo yum install nginx

5. Create a new config for gRPC

sudo vi /etc/nginx/conf.d/grpc.conf

6. Add the debug log configuration

server {
     listen 81 http2;

     access_log /var/log/nginx/grpc-access.log main;
     error_log /var/log/nginx/grpc-debug.log debug;

     location / {
        grpc_pass grpc://localhost:3002;

The reverse proxy is now listening on port 81. You have to change the port in the application configuration. The „error_log“ is our debug log, the „access_log“ logs just the requests itself.

If you are new to vim: First you have to press „i“ to insert text. After pasting the configuration above, press <ESC>, then :w<ENTER>, then :q<ENTER>

7. Test the configuration

[notes@redhat-dev-hq /]$ sudo nginx -t
nginx: the configuration file /etc/nginx/nginx.conf syntax is ok
nginx: configuration file /etc/nginx/nginx.conf test is successful

8. Start the nginx debug task & enjoy the results

sudo service nginx stop
sudo service nginx-debug start

Now the log file is full with the complete debug information about the incoming gRPC request.

node node.js, domino-db & Docker (12): DominoDB and a big NO-NO?

15. November 2018 Posted by Sven Hasselbach

Disclaimer: This is a response on Heiko’s post about his security considerations with the domino-db module. It is good to have such a discussion, and hopefully this discussion will go on. This is my personal view on this topic. If you have another opinion, feel free to add a comment.

What is gRPC?

gRPC was designed for inter-system communication, and uses HTTP/2 instead of HTTP.

Is it cool?

Yes. And super fast. Millenials will love it. It’s lightweight. Did I mention that it is super fast?

Can I use it in my node.js application for accessing Domino?

gRPC was designed exactly for this purpose. You can also directly use it for connections from a desktop or mobile app, if you want. Or for data access from IOT devices. It may be used directly within the browser in the future (if IBM/HCL gives us access to it.)

Is it safe?

Google developed it for its microservices architecture. If you are not trusting Google’s technical experience, you should shutdown your computer right now. And don’t power it on again.

Should others systems be allowed to access the Proton task directly?

Why not? This is inter-system communication. The traffic is encrypted when using certificates. If you need an additional security layer for limiting access, use a firewall. Or tunnel the traffic with VPN/SSH. This is the typical setup for cloud applications.

The Proton port shouldn’t be reachable from outside

Why not? NRPC is also open. And HTTP, HTTPS, LDAP, SMTP, IMAP, POP3, …

gRPC is bad and voodoo!

Really? What do you think does NRPC stands for? You are using RPC for decades… By the way, which encryption algorithms are you using on your Domino servers for NRPC?

What are theses client certificates?

The certificates are the same as a username / password. Nothing else. And nothing more. This has nothing to do with a Notes ID.

Isn’t it insecure to use client cerificates?

No, because it is the same as when you giving access to your system with username/password. Ever created a webservice provider or a REST API for a 3rd Party system? How do you give these systems access?

But I have to trust a external system…

Sure you need to. Same thing must other systems do when you are connecting to them from Domino. This is the reason why you have to fill out 500 pages and get a sign-off by a long list of involved persons before this is allowed (especially in the financial sector).

I am running a local node.js server on my domino…

Fine. This is still as insecure as running the system somewhere in the cloud. If you are doing the user authentication in your node.js application, you are still making a „insecure“ request to Domino, and Domino has to „trust“ the incoming request.

The client key is stored without password!

If the „other“ system is compromised, it doesn’t matter which kind of authentication was used. Where do you think are they storing username / password for accessing your WebService / REST API?

How to handle user authentication?

This is an open topic. domino-db is still a beta. But this must be solved by IBM/HCL. At least we need a way to run queries „in the name of“ a user.

But you also encrypt the keys…

Yes. But for other reasons: For preventing accidential check-ins in code repositories. And to prevent to store them in backups or direct access from „outside“ by a bug.

I have created a REST API with node.js as a wrapper for gRPC/domino-db

So why did you use the domino-db module? Write it directly on top of Domino, as Servlet or XPages REST API. Then you don’t have any limitations and the authentication problem is solved too.

But this is a secure approach to use it in production!

No. It’s a beta. Don’t use it in production. Period.

You were sceptical about node.js & Domino

Yes, and I am still thinking there is a lot of work to do to use it. But please read again what I have written in my post:

"So far I am still open for a big surprise and hopefully HCL can convince me of the contrary."