Securing the server


Hi… I hope you rested last night!

Come on, I need your help here!


Good morning! What’s the matter? Sounds worrying


We forgot to take the most basic security measures when deploying our services. Every body at the company can access the services and the information is transferred in clear text.


Oh! Damn, you’re right! You think we can do anything to solve this mess?


Yes, I’m pretty sure that those smart guys have thought on that when building Kapow! Have a look at the documentation.


Got it! They did it, here’re the instictions to start a server with HTTPS support.

It’s amazing! It says we can even use mTLS to control access, really promising.


Ok, ok… First thigs first. We need to get a server certificate to start working with HTTPS. Fortunately we can ask for one to the CA we use for the other servers. Let’s pick up one for development, they’re quick to get.


Yeah! I’ll change the startup script to configure HTTPS:

$ kapow server --keyfile /etc/kapow/tls/keyfile --certfile /etc/kapow/tls/certfile /etc/kapow/awesome.pow

It’s easy, please copy the private key file and certificate chain to /etc/kapow/tls and we can restart.


Great! it’s working, communications are secured. Let’s say everybody to change from http to https.


Ok, did it. What are the steps to follow to limit access by using mTLS?


Besides configuring the server we need to provide the users with their own client certificates and private keys so they can configure their browsers and the application server.


Yes, please give me the CA certificate that will issue our client certificates and I’ll change the startup script again

$ kapow server --keyfile /etc/kapow/tls/keyfile --certfile /etc/kapow/tls/certfile --clientauth=true --clientcafile /etc/kapow/tls/clientCAfile /etc/kapow/awesome.pow



Ok, let’s communicate the changes to all the affected teams before we restart


Oh God, After all we’re starting to look like Google
