Can we passthrough the traffic?
We have got TLS enabled on Ingress Gateway.
We have got a secure application deployed behind the gateway.
If we make an attempt like this
curl -v -HHost:nginx.example.com https://192.168.76.2:30773 -k
We receive an error like this
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.21.3</center>
</body>
</html>
It seems IGW is SSL terminating the connection and sending it plain.
We thought if there could be a PASSTHROUGH (like Istio / Ingress Gateway without TLS Termination) our application could handle the request.
Any help would be appreciated. Thank you.
[minikube@ip-172-31-58-253 nginx_istio_27082021_1236]$ curl -v -HHost:nginx.example.com https://192.168.76.2:30773 -k
* Rebuilt URL to: https://192.168.76.2:30773/
* Trying 192.168.76.2...
* TCP_NODELAY set
* Connected to 192.168.76.2 (192.168.76.2) port 30773 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
* CAfile: /etc/pki/tls/certs/ca-bundle.crt
CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* TLSv1.2 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Request CERT (13):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-ECDSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=ingressgatewaydc1.svc.default.e75d413f.consul
* start date: Sep 13 07:43:00 2021 GMT
* expire date: Sep 16 07:43:00 2021 GMT
* issuer: CN=pri-7hbt3hz.consul.ca.e75d413f.consul
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> GET / HTTP/1.1
> Host:nginx.example.com
> User-Agent: curl/7.61.1
> Accept: */*
>
< HTTP/1.1 400 Bad Request
< server: envoy
< date: Mon, 13 Sep 2021 08:04:22 GMT
< content-type: text/html
< content-length: 255
< x-envoy-upstream-service-time: 9
<
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.21.3</center>
</body>
</html>
* Connection #0 to host 192.168.76.2 left intact
[minikube@ip-172-31-58-253 nginx_istio_27082021_1236]$