Locking Down ClickHouse Networking (Part 2)
This is the second and last part of the article series where we are looking at locking down ClickHouse networking. We’ll continue looking at securing the ClickHouse server by locking down its networking by picking up where we’ve left off in [Part 1].
Specifically, in the first part, we identified what ports are opened by default, compiled a list of all the ports that can be opened by ClickHouse, and looked at the steps of how we can remove, change, and add open ports.
Now we’ll look at how to enable secure connections using SSL and learn how to lock down the server’s access by filtering the hosts and networks from which connections can be made to our server.
Just like in the first part, we’ll be using the altinity/clickhouse-server:22.8.15.25.altinitystable Docker image to play around with ClickHouse. If you followed [Part 1], then you can skip these steps; if not, then you can easily pull this image to make it available on your machine and follow along.
docker pull altinity/clickhouse-server:22.8.15.25.altinitystable
22.8.15.25.altinitystable: Pulling from altinity/clickhouse-server Digest: sha256:9e5ddb1f26695de16eabbf00548220434535ff9376722d506fb237e02f22ec0c Status: Image is up to date for altinity/clickhouse-server:22.8.15.25.altinitystable docker.io/altinity/clickhouse-server:22.8.15.25.altinitystable
Again, we can now run this image and execute bash inside of it to use it as our testing environment.
docker run -d altinity/clickhouse-server:22.8.15.25.altinitystable
In my case, the container ID is the same as before (03e3bb891946b7068848eda073a04524bd7cf6f8e91482f7b247528241c761ab), and therefore, I will login to my container using the following command:
docker exec -it 03e3bb891946b7068848eda073a04524bd7cf6f8e91482f7b247528241c761ab bash root@03e3bb891946:/#
With the setup out of the way, we are ready to continue locking down our ClickHouse server by enabling SSL to secure outside-facing ports.
Securing ports by enabling SSL
After disabling any unnecessary ports opened by ClickHouse, the next step is to enable SSL encryption on any ports that are used for outside communication. The most important default ports to secure are 9009 used for inter-server communication, 9000 used for native protocol clients, and 8123 used for the HTTP client interface, as these are the most likely ports to be exposed to the outside world.
You can find documentation on how to configure SSL for ClickHouse at https://clickhouse.com/docs/en/guides/sre/configuring-ssl, as well as in our network hardening guide: https://docs.altinity.com/operationsguide/security/clickhouse-hardening-guide/network-hardening/. It is important to note that enabling SSL not only provides the benefit of encrypted connections to the outside world, but SSL certificates can also be used to confirm the server’s and client’s identities.
In advanced setups where private certificate authority (CA) is used, ClickHouse can be configured to only allow encrypted connections to servers and clients that present valid certificates signed by your private CA, rejecting any other certificates signed by other private or public CAs. Such setups allow for rejecting connections at the SSL level without even allowing untrusted hosts to attempt to authenticate using a username and password. With SSL configured, user authentication can also be configured to just use X.509 certificate authentication to completely avoid using passwords at all. You can find the documentation related to X.509 certificate authentication at https://clickhouse.com/docs/en/guides/sre/ssl-user-auth and https://clickhouse.com/docs/en/operations/external-authenticators/ssl-x509.
In general, X.509 certificate authentication is underrated. While it can be cumbersome to setup in many cases, most people think it only applies to highly secured environments, which is not the case. X.509 certificate authentication combined with private certificate authority is actually an excellent choice for developers when you bring up a ClickHouse server instance in the cloud and would like to expose its client ports to the public internet, as SSL with X.509 certificate authentication ensures that your native TCP client port and HTTP connections are secured as well as providing passwordless login to your ClickHouse instance. In this way, it is similar to your SSH keys that you use to access your Git repositories without entering your username and password every time you want to work with your remote repository.
Let’s configure our ClickHouse to secure our ports 9009, 9000, and 8123 with SSL and get X.509 certificate user authentication to work to allow for passwordless secure login. The whole procedure can be broken up into three steps.
- Create the CA’s private key and the CA’s self-signed root certificate.
- Create servers and clients private keys and have their certificates signed by our private CA.
- Configure ClickHouse to enable SSL, only trust our private CA-signed certificates, and use X.509 certificate authentication for our ClickHouse users.
Creating private Certificate Authority (CA)
In order to create our CA, we first need to create the CA’s private key. We will name our certificate authority Altinity Blog CA.
openssl genrsa -out altinity_blog_ca.key 2048
Create the CA’s self-signed root certificate that will be valid for about 10 years.
openssl req -new -x509 -subj "/CN=Altinity Blog CA" -days 3650 -key altinity_blog_ca.key -extensions v3_ca -out altinity_blog_ca.crt
Our CA is ready, and we now have the following files:
$ ls *_ca* altinity_blog_ca.crt altinity_blog_ca.key
Creating server and client certificates
We can now create our server’s and client’s private keys and certificate signing requests to be signed by our private Altinity Blog CA certificate authority. The hostname for our ClickHouse server will be clickhouse.altinity.blog, so we will set the common name (CN) of the certificate accordingly. The common name for our client will be just the username that we will use to login with. I will create a certificate to login as the admin user.
openssl req -newkey rsa:2048 -nodes -subj "/CN=clickhouse.altinity.blog" -keyout server.key -out server.csr openssl req -newkey rsa:2048 -nodes -subj "/CN=admin" -keyout client.key -out client.csr
We now have server.key, server.csr, client.key, and client.csr.
$ ls client.* server.* client.csr client.key server.csr server.key
Now is the time to create our signed server and client certificates.
openssl x509 -req -in server.csr -out server.crt -CAcreateserial -CA altinity_blog_ca.crt -CAkey altinity_blog_ca.key -days 365 openssl x509 -req -in client.csr -out client.crt -CAcreateserial -CA altinity_blog_ca.crt -CAkey altinity_blog_ca.key -days 365
Check that server.crt and client.crt are present.
$ ls client.crt server.crt client.crt server.crt
Now let’s create a ./certs directory that we will mount into our container in addition to our custom configuration files. Our ./certs folder should contain the CA’s certificate, server key, and server certificate.
$ mkdir certs $ cp altinity_blog_ca.crt server.key server.crt certs/.
Our server will also need a Diffie-Hellman parameters file. Create it and copy it to ./certs.
openssl dhparam -out dhparam.pem 4096 cp dhparam.pem ./certs/.
We need to update user and group file permissions in ./certs to avoid file permission issues inside the container. This is because we are running ClickHouse inside the container and mounting certificates and keys from the local host, and ClickHouse expects these files to have clickhouse:clickhouse owner and group. Inside the image, the clickhouse user ID is 101. To match it, we need to chown files inside the ./certs to have 101:101 ownership.
sudo chown 101:101 -R certs/*
Configuring ClickHouse for SSL and X.509 certificate authentication
Finally, we are ready to configure ClickHouse to enable SSL. We will also turn off default insecure ports 9009, 9000, and 8123 and enable default secure ports 9010, 9440, and 8443 instead. For <server> and <client>, we will set <verification_mode> to strict to force ClickHouse to verify the full certificate chain. The <loadDefaultCAFile> will be set to false, and <caConfig> will be set to our private CA certificate. This will force ClickHouse to exclusively accept certificates signed by our private CA. Any certificates signed even by well-known, trusted CAs that are included in the system will not be accepted.
If you want to know what each setting in the <openSSL> section means, see the link that is mentioned in ClickHouse sources at https://github.com/ClickHouse/poco/blob/master/NetSSL_OpenSSL/include/Poco/Net/SSLManager.h#L71 or the POCO C++ Library’s SSLManager documentation at https://docs.pocoproject.org/current/Poco.Net.SSLManager.html.
cat << EOF > ./config.d/ssl.xml
<clickhouse>
<!-- disable http and enable https port -->
<http_port remove="true"/>
<https_port>8443</https_port>
<!-- disable tcp and enable secure tcp port -->
<tcp_port remove="true"/>
<tcp_port_secure>9440</tcp_port_secure>
<!-- disable http and enable https inter-server port -->
<interserver_http_port remove="true"/>
<interserver_https_port>9010</interserver_https_port>
<!-- configure OpenSSL -->
<openSSL>
<server>
<certificateFile>/etc/clickhouse-server/certs/server.crt</certificateFile>
<privateKeyFile>/etc/clickhouse-server/certs/server.key</privateKeyFile>
<caConfig>/etc/clickhouse-server/certs/altinity_blog_ca.crt</caConfig>
<loadDefaultCAFile>false</loadDefaultCAFile>
<verificationMode>strict</verificationMode>
<cacheSessions>true</cacheSessions>
<disableProtocols>sslv2,sslv3</disableProtocols>
<preferServerCiphers>true</preferServerCiphers>
<invalidCertificateHandler>
<name>RejectCertificateHandler</name>
</invalidCertificateHandler>
</server>
<client>
<loadDefaultCAFile>false</loadDefaultCAFile>
<caConfig>/etc/clickhouse-server/certs/altinity_blog_ca.crt</caConfig>
<certificateFile>/etc/clickhouse-server/certs/server.crt</certificateFile>
<privateKeyFile>/etc/clickhouse-server/certs/server.key</privateKeyFile>
<cacheSessions>true</cacheSessions>
<disableProtocols>sslv2,sslv3</disableProtocols>
<preferServerCiphers>true</preferServerCiphers>
<verificationMode>strict</verificationMode>
<invalidCertificateHandler>
<name>RejectCertificateHandler</name>
</invalidCertificateHandler>
</client>
</openSSL>
</clickhouse>
EOF
We also need to add a users.xml file to create an admin user in the /etc/clickhouse-server/users.d folder, which will be authenticated using our X.509 client certificate.
mkdir users.d
cat << EOF > ./users.d/users.xml
<clickhouse>
<users>
<admin>
<ssl_certificates>
<common_name>admin</common_name>
</ssl_certificates>
</admin>
</users>
</clickhouse>
EOF
We can restart our ClickHouse container, where we map container ports 8443 and 9440 to the same ports on the host, and mount the ./certs folder into /etc/clickhouse-server/certs inside the container.
docker run -h clickhouse.altinity.blog -d -v$(pwd)/certs:/etc/clickhouse-server/certs -v $(pwd)/config.d:/etc/clickhouse-server/conf.d -v $(pwd)/users.d:/etc/clickhouse-server/users.d -v $(pwd)/logs:/var/log/clickhouse-server -p 9440:9440 -p 8443:8443 altinity/clickhouse-server:22.8.15.25.altinitystable
Check if the ClickHouse container is running.
$ docker ps CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES 5b6ed7bc3f5f altinity/clickhouse-server:22.8.15.25.altinitystable "/entrypoint.sh" 2 minutes ago Up 2 minutes 8123/tcp, 9000/tcp, 0.0.0.0:8443->8443/tcp, :::8443->8443/tcp, 9009/tcp, 0.0.0.0:9440->9440/tcp, :::9440->9440/tcp laughing_benz
If there are any problems, check the logs inside the ./logs folder, which we mounted to /var/log/clickhouse-server, where ClickHouse stores its clickhouse-server.log and clickhouse-server.err.log logs. You will need sudo to read them.
We are almost ready to connect, but first we need to create a custom clickhouse-client.xml file that will configure our clickhouse-client to use our client.crt with private CA altinity_blog_ca.crt and always use secure mode to connect to port 9440 that we’ve mapped from the container to our host.
cat << EOF > ./clickhouse-client.xml
<config>
<secure>1</secure>
<openSSL>
<client>
<loadDefaultCAFile>false</loadDefaultCAFile>
<caConfig>./altinity_blog_ca.crt</caConfig>
<certificateFile>./client.crt</certificateFile>
<privateKeyFile>./client.key</privateKeyFile>
<cacheSessions>true</cacheSessions>
<disableProtocols>sslv2,sslv3</disableProtocols>
<preferServerCiphers>true</preferServerCiphers>
<verification_mode>strict</verification_mode>
<invalidCertificateHandler>
<name>RejectCertificateHandler</name>
</invalidCertificateHandler>
</client>
</openSSL>
</config>
EOF
In the current working directory, we have altinity_blog_ca.crt, client.crt, client.key, and clickhouse-client.xml. Here is what I have.
$ ls -la client.* altinity_blog_ca.* *.xml -rw-rw-r-- 1 user user 1151 Jun 8 13:29 altinity_blog_ca.crt -rw------- 1 user user 1700 Jun 8 13:29 altinity_blog_ca.key -rw-rw-r-- 1 user user 641 Jun 8 14:24 clickhouse-client.xml -rw-rw-r-- 1 user user 1013 Jun 8 13:30 client.crt -rw-rw-r-- 1 user user 903 Jun 8 13:30 client.csr -rw------- 1 user user 1704 Jun 8 13:30 client.key
We are ready to connect to ClickHouse, but unfortunately, ClickHouse version 22.8 does not support X.509 certificate authentication using clickhouse-client. This functionality will be enabled in the upcoming 23.3 release, but we can use curl to connect to the HTTPS port as follows:
$ echo 'SELECT currentUser()' | curl 'https://localhost:8443' --cert ./client.crt --key ./client.key --cacert ./altinity_blog_ca.crt -H "X-ClickHouse-SSL-Certificate-Auth: on" -H "X-ClickHouse-User: admin" --data-binary @- curl: (60) SSL: certificate subject name 'clickhouse.altinity.blog' does not match target host name 'localhost' More details here: https://curl.se/docs/sslcerts.html curl failed to verify the legitimacy of the server and therefore could not establish a secure connection to it. To learn more about this situation and how to fix it, please visit the web page mentioned above.
But wait a minute, connecting using curl to https://localhost:8443 fails! Reading the error message, we can see why.
SSL: certificate subject name 'clickhouse.altinity.blog' does not match target host name 'localhost'
We get this error because server was issued a certificate with common name specified as clickhouse.altinity.blog and curl tries to match CN to the actual hostname we are connecting to and connecting to localhost fails this check. In order to fix this error we need to add the following entry to our system’s /etc/hosts to tell our system that clickhouse.altinity.blog maps to our localhost at 127.0.0.1.
127.0.0.1 clickhouse.altinity.blog
Now let’s try using curl to connect to https://clickhouse.altinity.blog:8443.
$ echo 'SELECT currentUser()' | curl 'https://clickhouse.altinity.blog:8443' --cert ./client.crt --key ./client.key --cacert ./altinity_blog_ca.crt -H "X-ClickHouse-SSL-Certificate-Auth: on" -H "X-ClickHouse-User: admin" --data-binary @- admin
It works! ClickHouse returned admin as the current user for our request, which means X.509 certificate authentication for our admin user worked as expected and curl matched the hostname to the server’s CN.
We can also use clickhouse-client to connect as the default user, which is not authenticated by an X.509 certificate; actually, right now this user is not protected at all and its password is empty! However, because we have SSL enabled with <verification_mode> set to strict and we trust only certificates that are signed by our private CA, nobody can access our server as SSL certificate verification will fail and the connection will be closed before even ClickHouse tries to check the username and password.
$ clickhouse-client
ClickHouse client version 22.8.15.25.altinitystable (altinity build).
Connecting to localhost:9440 as user default.
Connected to ClickHouse server version 22.8.15 revision 54460.
clickhouse.altinity.blog :)
Let’s stop our container and quickly switch to using clickhouse/clickhouse-server:23.3.2.37-alpine community build to see that in 23.3 we can also use clickhouse-client with an X.509 certificate authenticated users.
docker run -h clickhouse.altinity.blog -d -v$(pwd)/certs:/etc/clickhouse-server/certs -v $(pwd)/config.d:/etc/clickhouse-server/conf.d -v $(pwd)/users.d:/etc/clickhouse-server/users.d -v $(pwd)/logs:/var/log/clickhouse-server -p 9440:9440 -p 8443:8443 clickhouse/clickhouse-server:23.3.2.37-alpine
Let’s try using clickhouse-client to login using the admin user but skipping the password.
user@user-node:~/Projects/github/altinity/blog-articles/locking-down-clickhouse-networking$ clickhouse-client -u admin
ClickHouse client version 23.5.1.2890 (official build).
Connecting to localhost:9440 as user admin.
Connected to ClickHouse server version 23.3.2 revision 54462.
ClickHouse server version is older than ClickHouse client. It may indicate that the server is out of date and can be upgraded.
clickhouse.altinity.blog :)
As we can see from the above, in 23.3, the X.509 certificate authentication is indeed supported by the clickhouse-client!
Locking down allowed hosts and networks
Having closed all unnecessary ports and enabled SSL communication for each outside-facing port, we are ready to look into how we can lock down allowed hosts and networks in ClickHouse itself, as locking down networks outside of ClickHouse is out of scope for this article.
Setting listen host
The <listen_host> setting inside the config.xml will determine to which network interface ClickHouse server will bind based on the IP address that is provided. You can specify multiple entries for <listen_host>, which is commonly done. At least we need two entries, one for IPv4 and one for IPv6.
Inside our image, by default, we saw that <listen_host> was set to the following:
<!-- Listen wildcard address to allow accepting connections from other containers and host network. -->
<listen_host>::</listen_host>
<listen_host>0.0.0.0</listen_host>
Again, the :: is a reserved IPv6 address equal to all entries set to zeros, and 0.0.0.0 is a reserved IPv4 address. In both cases, these reserved addresses mean that the ClickHouse server will bind to all the interfaces for IPv6 and IPv4 traffic.
The default settings of :: for IPv6 and 0.0.0.0 for IPv4 make perfect sense for a ClickHouse server that is running inside a container, but these settings make ClickHouse available on all interfaces connected to the machine, and therefore any host on each network interface could reach our server.
In cases where we have multiple network interfaces, for example, one for the public network and one for the private network, we should be careful to set the <listen_host> value correctly. For example, if we want the server to only be reachable on the private network, then we should set <listen_host> to an IP address that will cause the ClickHouse server to bind only to the private network interface. Servers bound to the public network could expose them to unnecessary traffic and the ability of unwanted hosts to connect to them.
Let’s try to update our ClickHouse server configuration from the SSL section and force it to bind only to the localhost interface using 127.0.0.1 as the IP address for the <listen_host> setting.
cat << EOF > ./config.d/listen_hosts.xml
<clickhouse>
<listen_host remove="true"/>
<listen_host>127.0.0.1</listen_host>
</clickhouse>
EOF
Note that this time when we start the server, we do want to override the /etc/clickhouse-server/config.d folder that contains docker_related_config.xml, which sets <listen_host> settings that we want to remove. So our docker run command is as follows:
docker run -h clickhouse.altinity.blog -d -v$(pwd)/certs:/etc/clickhouse-server/certs -v $(pwd)/config.d:/etc/clickhouse-server/config.d -v $(pwd)/users.d:/etc/clickhouse-server/users.d -v $(pwd)/logs:/var/log/clickhouse-server -p 9440:9440 -p 8443:8443 clickhouse/clickhouse-server:23.3.2.37-alpine
If we now try to connect to ClickHouse again using our X.509 certificate for the admin user, it fails as our ClickHouse server is now not available on the Docker network.
$ clickhouse-client -u admin ClickHouse client version 23.5.1.2890 (official build). Connecting to localhost:9440 as user admin. Code: 210. DB::NetException: Connection reset by peer (localhost:9440). (NETWORK_ERROR)
Setting inter-server listen host
A companion to the <listen_host> setting is the <interserver_listen_host> setting. It allows us to decouple network connection restrictions between the client network and the inter-server network when they are not the same.
By default, the value of the <interserver_listen_host> setting is set to the value of the <listen_host>.
If you do have two separate networks, then the value of <interserver_listen_host> can be much more restrictive and bind our inter-server port to 9009 (insecure) or 9010 (secure) only to an IP address valid only on the inter-server network. Again, exposing our inter-server port to the public network might be undesirable, as we would not expect ClickHouse users to connect to the inter-server port.
User Settings
The <listen_host> setting only allows us to limit the network interface to which our server will bind. However, it does not allow us to limit which hosts on that network can access our server. Again, we could use other networking tools to solve the problem of filtering which hosts can access our server on the network layer; however, it is also possible to use the ClickHouse User Settings to specify from which hosts or networks a particular user or a group of users can access our server using the <user_name> setting.
The <user_name><networks> section allows us to specify a list of networks from which the user can connect to the ClickHouse server. You can specify multiple <ip>, <host>, and <host_regexp> entries inside of this section. For example, to only open access for a given user from localhost, we can specify our configuration file for the user as follows:
<user_name>
<networks>
<ip>::1</ip>
<ip>127.0.0.1</ip>
</networks>
</user_name>
The <ip> setting can either contain an IP address or a network mask. The documentation provides the following examples:
<user_name>
<networks>
<ip>213.180.204.3</ip>
<ip>10.0.0.1/8</ip>
<ip>10.0.0.1/255.255.255.0</ip>
<ip>2a02:6b8::3</ip>
<ip>2a02:6b8::3/64</ip>
<ip>2a02:6b8::3/ffff:ffff:ffff:ffff::.</ip>
</networks>
<user_name>
Remember that the entries for IPv4 and IPv6 should be defined separately.
In the same <networks> section, you can also specify one or more <host> entries. For example, blog.altinity.com. When the <host> entry is specified, ClickHouse performs a DNS query, and then all IP addresses that are returned are compared to the connecting client address, and if the client’s IP address matches one of them, then the connection is allowed.
In cases where you need to allow access from hosts that match some common pattern, a <host_regexp> entry that supports regular expressions can be used. For example, ^blog\d\d.altinity\.com$. For each <host_regexp> entry, the lookup is more involved, and for performance reasons, results are cached until the server restarts, as ClickHouse first has to perform a DNS PTR query, then follow it up with a DNS query for each result, and the resulting list of addresses is used to compare against the client’s address. For security reasons, it is best to limit the regular expression that could match the entry and always end it with the $ character to indicate the end.
However, the <networks> settings do not have to be explicitly defined for each user. User Profiles can be used to apply the same settings to all users or just a group of some users. The default_profile setting allows you to specify the default profile name to apply to all ClickHouse users. By default, the default profile name is set to default, as one would intuitively expect. A custom profile can be applied to a specific user using the <user_name> setting.
Again, let’s reuse the configuration from the SSL section and now not touch the default <listen_host> setting but instead modify our admin user configuration to have the <networks><ip> setting set to 127.0.0.1.
cat << EOF > ./users.d/users.xml
<clickhouse>
<users>
<admin>
<networks>
<ip>127.0.0.1</ip>
</networks>
<ssl_certificates>
<common_name>admin</common_name>
</ssl_certificates>
</admin>
</users>
</clickhouse>
EOF
We restart the server as before without overriding the /etc/clickhouse-server/config.d folder.
docker run -h clickhouse.altinity.blog -d -v$(pwd)/certs:/etc/clickhouse-server/certs -v $(pwd)/config.d:/etc/clickhouse-server/conf.d -v $(pwd)/users.d:/etc/clickhouse-server/users.d -v $(pwd)/logs:/var/log/clickhouse-server -p 9440:9440 -p 8443:8443 clickhouse/clickhouse-server:23.3.2.37-alpine
Trying to connect as the admin user, we see an error as expected, but instead of NETWORK_ERROR, as we saw when we changed the <listen_host>, we got an AUTHENTICATION_FAILED error as the connection to the server was successful but the IP restriction specified by the <networks><ip> setting forced the authentication of the admin user to fail.
$ clickhouse-client -u admin ClickHouse client version 23.5.1.2890 (official build). Connecting to localhost:9440 as user admin. Code: 516. DB::Exception: Received from localhost:9440. DB::Exception: admin: Authentication failed: password is incorrect, or there is no user with such name.. (AUTHENTICATION_FAILED)
If we instead try to login as a default user, we see that it works because the default user does not have any <networks> restrictions in our server configuration.
$ clickhouse-client -u default
ClickHouse client version 23.5.1.2890 (official build).
Connecting to localhost:9440 as user default.
Connected to ClickHouse server version 23.3.2 revision 54462.
The ClickHouse server version is older than the ClickHouse client. It may indicate that the server is out of date and can be upgraded.
clickhouse.altinity.blog :)
Conclusion
In this second and final part of the series on locking down ClickHouse networking, we went through enabling SSL encryption on each publicly facing communication port and also took advantage of private CAs as well as X.509 certificate authentication to provide secure access to the server. Also, we have looked at how the network interface to which the server binds can allow us to limit the hosts that can access the server. For the fine-grained control, we saw that we needed to set allowed network settings either inside a particular user configuration or use user profiles to share the same settings between different users. I hope you’ve enjoyed this two-part article series, and keep an eye out for our upcoming blog posts that will continue covering different topics related to ClickHouse server security.