K
Q

Kubernets : You're speaking plain HTTP to an SSL-enabled server port

3/12/2020

My Gateway file is as

apiVersion: networking.istio.io/v1alpha3 kind: Gateway metadata: name: my-gateway-secure namespace: myapp spec: selector: istio: ingressgateway # use istio default controller servers:

  • port: number: 443 name: https protocol: HTTPS tls: mode: SIMPLE serverCertificate: /etc/istio/ingressgateway-certs/tls.crt privateKey: /etc/istio/ingressgateway-certs/tls.key #caCertificates: /etc/istio/ingressgateway-ca-certs/kbundle.crt hosts:
    • "*"

apiVersion: networking.istio.io/v1alpha3 kind: VirtualService metadata: name: my-gateway-service-secure namespace:myapp spec: hosts:

  • "sub.domaincom" gateways:
  • my-gateway-secure http:
  • route:
    • destination: host: my-mono port: number: 443 protocol: TCP

and my service file is

apiVersion: v1 kind: Service metadata: name: my-mono namespace: myapp labels: tier: backend spec: selector: app: my-mono tier: backend ports: - port: 443 name: https protocol: TCP

Deployment file is as

apiVersion: apps/v1 kind: Deployment metadata: name: my-mono namespace: myapp spec: replicas: 1 selector: matchLabels: app: my-mono template: metadata: labels: app: my-mono spec: containers: - name: my-mono image: myapacheimage imagePullPolicy: Never
ports:
- containerPort: 443

when i access my service using gateway it says

Bad Request Your browser sent a request that this server could not understand. Reason: You're speaking plain HTTP to an SSL-enabled server port. Instead use the HTTPS scheme to access this URL, please. Apache/2.4.38 (Debian) Server at 10.0.159.77 Port 443

i can confirm that apache is only listening on 443 and is properly configured

-- Shahid Mushtaq
istio
kubernetes
networking

Similar Questions

Configuring Vault-Helm PVC
Use multiple contexts with same user-name in kubectl config
EFK - Have preconfigured filter by container that will appear in Kibana
How to terminate another container in the same pod when your main container finish its job

1 Answer

3/12/2020

Your configuration uses the TLS termination on istio gateway. So the HTTPS traffic entering the istio ingress is decrypted to plain HTTP traffic before reaching Your service endpoint.

To fix this You need to configure HTTPS ingress access to an HTTPS service, i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.

You can find an example of Ingress Gateway without TLS Termination in istio documentation guide here.

Your Gateway and VirtualService should look something like this:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway-secure
  namespace: myapp
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - "*"

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-gateway-service-secure
  namespace:myapp
spec:
  hosts:
  - "sub.domaincom"
  gateways:
  - my-gateway-secure
  tls:
  - match:
    - port: 443
      sni_hosts:
      - "sub.domaincom"
    route:
    - destination:
        host: my-mono
        port:
          number: 443

Hope it helps.

-- Piotr Malec
Source: StackOverflow