personal_interest_mirrors/nebula
1
0
Fork 0
mirror of https://github.com/slackhq/nebula.git synced 2025-12-30 02:28:27 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity

PSK Support

Browse Source
This commit is contained in:
Nate Brown
2021-04-14 17:04:17 -05:00
parent a22c134bf5
commit cf3b7ec2fa
9 changed files with 372 additions and 44 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
examples/config.yml
View File

@@ -215,17 +215,42 @@ logging:
# e.g.: `lighthouse.rx.HostQuery`
#lighthouse_metrics: false
# Handshake Manager Settings
#handshakes:
# Handshake Manger Settings
handshakes:
# Handshakes are sent to all known addresses at each interval with a linear backoff,
# Wait try_interval after the 1st attempt, 2 * try_interval after the 2nd, etc, until the handshake is older than timeout
# A 100ms interval with the default 10 retries will give a handshake 5.5 seconds to resolve before timing out
#try_interval: 100ms
#retries: 20
# trigger_buffer is the size of the buffer channel for quickly sending handshakes
# after receiving the response for lighthouse queries
#trigger_buffer: 64
# pki can be used to mask the contents of handshakes and makes handshaking with unintended recipients more difficult
psk:
# mode defines the how pre shared keys can be used in a handshake
# `none` (the default) does not send or receive using a psk. Ideally `enforced` is used.
# `transitional` can receive handshakes using a psk that we know about, but we will not send any handshakes using a psk.
# This is helpful for transitioning to `enforced` and should be changed to `enforced` as soon as possible.
# Move every node in your mesh to `transitional` then you can move every node in your mesh to `enforced` without having to stop the world
# This assumes `keys` is the same on every node in your mesh
# `enforced` enforces the use of a psk for all tunnels. Any node not also using `enforced` or `transitional` will not be able to handshake with us
#mode: none
# In `transitional` and `enforced` modes, the keys provided here are sent through hkdf with the intended recipients
# ip used in the info section. This helps guard against handshaking with the wrong host if your static_host_map or
# lighthouse(s) has incorrect information.
#
# Setting keys if mode is `none` has no effect.
#
# Only the first key is used for outbound handshakes but all keys provided will be tried in the order specified, on
# incoming handshakes. This is to allow for psk rotation.
#keys:
# - shared secret string, this one is used in all outbound handshakes
# - this is a fallback key, received handshakes can use this
# - another fallback, received handshakes can use this one too
# - "\x68\x65\x6c\x6c\x6f\x20\x66\x72\x69\x65\x6e\x64\x73" # for raw bytes if you desire
# Nebula security group configuration
firewall: