Boundary worker proxy

Hi,

I’m trying to launch a little lab on my side and I’m blocked at some point when trying to connect to a target.
So my setup is everything in kubernetes (KMS via Vault and postgres in a dedicated pod).
I have boundary allinone to ease the deployment.
Everything seems totally ok until I’m trying to connect.
I’ve disabled TLS on all my listener since it’s my ingress controller that is ending the TLS (even if it would be better to let it passthrough but it’s the first try on my side).

The error I got is this one :
error fetching connection to send session teardown request to worker: Error dialing the worker: failed to WebSocket dial: failed to send handshake request: Get “https://my.example.com:9202/v1/proxy”: x509: certificate is valid for someTLD, not s_WQbSjWEQL3.

If you have any hint on this one I really don’t get it since curl https://my.example.com:9202 give me no error.

Thanks.

Did you ever find a solution to this?

I suspect it’s to do with the way the client-to-worker TLS works (outlined here: Connections/TLS | Boundary by HashiCorp

But I’m not sure if pass-through TLS will work either.

It seems like the OP is putting some kind of TLS-terminating proxy in front of Boundary. We don’t currently support that; Boundary uses a unique TLS stack for every single session. If you must proxy a connection between your client and worker, you need to ensure it’s TCP proxying, not at the application layer.

We may enhance this in the future to allow this kind of behavior, but I can’t promise it will happen or the timeline as there are security considerations that we need to think about.