HTTPProxy TLS

[priyakr-git]

With a httpproxy similar to the example basic-httpproxy.yaml, the following curl command completes successfully
% curl -i http://localhost/
HTTP/1.1 200 OK
date: Wed, 18 May 2022 22:17:31 GMT
content-length: 414
content-type: text/plain; charset=utf-8
x-envoy-upstream-service-time: 0
vary: Accept-Encoding
server: envoy
...

When TLS is enabled for a virtual host, I see the request redirected to the secure interface with a 301 redirect, but I am not sure how to get the curl command to succeed for that virtual host. I am using a similar HTTPProxy example as in
httpproxy-tls.yaml
% curl -i --header "Host: <fqdn-name, e.g. foo2.bar.com>" http://localhost/

What is the expected output of curl command above?

% curl -i --header "Host: https-example.foo.com" http://localhost/
HTTP/1.1 301 Moved Permanently
location: https://https-example.foo.com/
vary: Accept-Encoding
date: Wed, 18 May 2022 22:25:23 GMT
server: envoy
content-length: 0

% curl -i --header "Host: https-example.foo.com" http://localhost:443/
curl: (52) Empty reply from server

% curl -i --header "Host: https-example.foo.com" https://localhost/
curl: (35) LibreSSL SSL_connect: SSL_ERROR_SYSCALL in connection to localhost:443

The httpproxy is valid
% k describe httpproxy basic-tls
Name: basic-tls
Namespace: default
Labels:
Annotations:
API Version: projectcontour.io/v1
Kind: HTTPProxy
Metadata:
Creation Timestamp: 2022-05-18T22:23:36Z
Generation: 1
Managed Fields:
API Version: projectcontour.io/v1
Fields Type: FieldsV1
fieldsV1:
f:status:
f:conditions:
.:
k:{"type":"Valid"}:
.:
f:lastTransitionTime:
f:message:
f:observedGeneration:
f:reason:
f:status:
f:type:
f:currentStatus:
f:description:
f:loadBalancer:
Manager: contour
Operation: Update
Subresource: status
Time: 2022-05-18T22:23:36Z
API Version: projectcontour.io/v1
Fields Type: FieldsV1
fieldsV1:
f:metadata:
f:annotations:
.:
f:kubectl.kubernetes.io/last-applied-configuration:
f:spec:
.:
f:ingressClassName:
f:routes:
f:virtualhost:
.:
f:fqdn:
f:tls:
.:
f:secretName:
Manager: kubectl-client-side-apply
Operation: Update
Time: 2022-05-18T22:23:36Z
Resource Version: 57926
UID: 170a2ac8-ecb7-4d0d-bfc9-fa5544e333ad
Spec:
Ingress Class Name: contour
Routes:
Conditions:
Prefix: /
Services:
Name: service-sloka
Port: 80
Virtualhost:
Fqdn: https-example.foo.com
Tls:
Secret Name: secret-tls
Status:
Conditions:
Last Transition Time: 2022-05-18T22:23:36Z
Message: Valid HTTPProxy
Observed Generation: 1
Reason: Valid
Status: True
Type: Valid
Current Status: valid
Description: Valid HTTPProxy
Load Balancer:
Events:
%

[tsaarni]

When connecting with curl https://localhost/ curl will set TLS SNI to hostname to localhost while Envoy is expecting https-example.foo.com. You can try curl --resolve https-example.foo.com:443:127.0.0.1 https:///https-example.foo.com to make curl use the correct hostname. I think this would remove also the need to explicitly set the Host header.

You probably know this but just for completeness: You also need to provide trusted CA certificatecurl --cacert trusted-ca.pem and the server certificate should be issued for the FQDN by having either CN=https-example.foo.com or Subject Alternative Name / SAN set as DNS:https-example.foo.com. Otherwise curl --insecure could be used as a temporary workaround.

[priyakr-git]

Thank you very much!! The --resolve was required. I was able to get the mTLS with curl

% curl --resolve https-example.foo.com:443:127.0.0.1 -i --cacert ca-chain.pem --key client.key --cert client.pem https:///https-example.foo.com

HTTP/2 200
date: Thu, 19 May 2022 16:53:16 GMT
content-length: 427
content-type: text/plain; charset=utf-8
x-envoy-upstream-service-time: 1
vary: Accept-Encoding
server: envoy