Nomad + Consul Connect and Https Only Backend

Nomad
,
1

Hi everyone,

I’m currently exploring Nomad with Consul Connect. I’ve been working with it for 20 days now, and I absolutely love the ecosystem, even though it can be challenging at times. I’ve been reading tons of documentation and forum posts trying to understand everything.

Anyway, I have a cluster with 3 servers and 4 nodes, and I’ve successfully deployed most of my services using Nomad jobs, along with a service mesh set up with Consul Connect.

However, I’m currently facing an issue I can’t solve. I’m deploying a Docker task that only listens on HTTPS (there are no environment variables or parameters to override this). When I deploy the service, I get the following error:

“Bad Request. This combination of host and port requires TLS.”

From what I understand:

  1. My browser sends a request to the address, which goes directly to Traefik.

  2. Traefik forwards the request to the Envoy proxy.

  3. The Envoy proxy redirects the request to my backend, but without TLS, which causes the app to throw an error.

Is there a way to configure the Envoy proxy to connect to the backend service using TLS but without verifying the certificate?

Thanks in advance for your help!

Here’s my hcl file :

# Unifi job definition for Nomad
job "myapp" {
  # General job configuration
  datacenters = ["dc1"]  # Specify the datacenters where this job can run

  group "myapp" {
    count = 1 


    # Network configuration
    network {
      mode = "bridge"  # Use bridge network mode

      port "web" { }
    }

    # Service registration
    service {
      name = "myapp"  # Service name 
      port = "8444"       # Port for the Web service

      tags = [  # Traefik integration via Consul Catalog
        "traefik.enable=true",
        "traefik.http.routers.myapp.rule=Host(`myapp.domain`)",
        "traefik.http.routers.myapp.entrypoints=http",
        "traefik.http.routers.myapp.tls=false"
      ]

      provider = "consul"  # Use Consul for service discovery

      # Consul Connect sidecar configuration
      connect {
        sidecar_service {
        }
      }
    }

    # Task definition for the server
    task "server" {
      driver = "docker"  # Use Docker as the task driver

      # Container configuration
      config {
        image = "my-image-which-only-runs-in-https"  # Latest Server image
        ports = ["myapp"]  
      }

    }
  }
}
2

Had the same issue with Consul Connect not supporting https traffic. Seems like CC is http-only, at least I could not find a way around that. Maybe someone from Hashi could chime in on the issue.

In the end I decided as a workaround to use an embedded reverse proxy (NGINX) to strip https from the connection.

You can find the job file for my Unifi Network app here:

The network app is exposing the UI on port 8443/https.
NGINX is running as another task in the same alloc which is exposing http on port 8888/http, reverse-proxying to 8443/https.
Finally, a service is defined which is mapped to 8888/http and is exposed via CC.

Not sure if that’s the best approach, but it works for me :slight_smile: