NATS Server Configuration Standards

Intermediate

Configure NATS servers with proper security defaults — TLS required, authentication enabled, authorization with accounts, and JetStream storage limits for production deployments.

File Patterns

**/nats*.conf**/nats-server.conf**/jetstream.conf

This rule applies to files matching the patterns above.

Rule Content

rule-content.md

# NATS Server Configuration Standards

## Rule
Production NATS servers MUST enable TLS, require authentication, use account-based authorization, and configure JetStream with explicit storage limits. Never run NATS without auth in production.

## Format
```
# nats-server.conf
port: 4222
server_name: nats-prod-1

tls {
  cert_file: "/etc/nats/server-cert.pem"
  key_file: "/etc/nats/server-key.pem"
  ca_file: "/etc/nats/ca.pem"
  verify: true
}
```

## Good Examples
```
# Production nats-server.conf
server_name: nats-prod-1
port: 4222
http_port: 8222

# TLS required
tls {
  cert_file: "/etc/nats/tls/server.crt"
  key_file: "/etc/nats/tls/server.key"
  ca_file: "/etc/nats/tls/ca.crt"
  verify_and_map: true
}

# JetStream with storage limits
jetstream {
  store_dir: "/data/nats/jetstream"
  max_mem: 1G
  max_file: 10G
}

# Account-based authorization
accounts {
  APP {
    users: [
      {user: "api-service", password: "$2a$11$..."}
      {user: "worker", password: "$2a$11$..."}
    ]
    jetstream: enabled
  }
  MONITORING {
    users: [
      {user: "prometheus", password: "$2a$11$..."}
    ]
  }
  SYS {
    users: [
      {user: "admin", password: "$2a$11$..."}
    ]
  }
}
system_account: SYS

# Limits
max_payload: 1MB
max_connections: 10000
```

## Bad Examples
```
# BAD: No authentication
port: 4222
# Anyone can connect and publish to any subject!

# BAD: No TLS
port: 4222
authorization {
  token: "mysecrettoken"  # Sent in plaintext without TLS!
}

# BAD: Unlimited JetStream storage
jetstream {}  # No limits — will fill disk
```

## Enforcement
- Reject configs without TLS in production environments
- Audit account permissions quarterly
- Monitor JetStream storage usage with alerts at 80% capacity
- Use nats-server --config-check to validate config before deploy

FAQ

Discussion

Loading comments...

# NATS Server Configuration Standards ## Rule Production NATS servers MUST enable TLS, require authentication, use account-based authorization, and configure JetStream with explicit storage limits. Never run NATS without auth in production. ## Format ``` # nats-server.conf port: 4222 server_name: nats-prod-1 tls { cert_file: "/etc/nats/server-cert.pem" key_file: "/etc/nats/server-key.pem" ca_file: "/etc/nats/ca.pem" verify: true } ``` ## Good Examples ``` # Production nats-server.conf server_name: nats-prod-1 port: 4222 http_port: 8222 # TLS required tls { cert_file: "/etc/nats/tls/server.crt" key_file: "/etc/nats/tls/server.key" ca_file: "/etc/nats/tls/ca.crt" verify_and_map: true } # JetStream with storage limits jetstream { store_dir: "/data/nats/jetstream" max_mem: 1G max_file: 10G } # Account-based authorization accounts { APP { users: [ {user: "api-service", password: "$2a$11$..."} {user: "worker", password: "$2a$11$..."} ] jetstream: enabled } MONITORING { users: [ {user: "prometheus", password: "$2a$11$..."} ] } SYS { users: [ {user: "admin", password: "$2a$11$..."} ] } } system_account: SYS # Limits max_payload: 1MB max_connections: 10000 ``` ## Bad Examples ``` # BAD: No authentication port: 4222 # Anyone can connect and publish to any subject! # BAD: No TLS port: 4222 authorization { token: "mysecrettoken" # Sent in plaintext without TLS! } # BAD: Unlimited JetStream storage jetstream {} # No limits — will fill disk ``` ## Enforcement - Reject configs without TLS in production environments - Audit account permissions quarterly - Monitor JetStream storage usage with alerts at 80% capacity - Use nats-server --config-check to validate config before deploy