You're speaking plain HTTP to an SSL-enabled server port in Kubernetes

0
votes

My Gateway file is as

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway-secure
  namespace: myapp
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
      privateKey: /etc/istio/ingressgateway-certs/tls.key
      #caCertificates: /etc/istio/ingressgateway-ca-certs/kbundle.crt
    hosts:
    - "*"

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-gateway-service-secure
  namespace:myapp
spec:
  hosts:
  - "sub.domaincom"
  gateways:
  - my-gateway-secure
  http:
  - route:
    - destination:
        host: my-mono
        port:
          number: 443
          protocol: TCP

and my service file is

apiVersion: v1
kind: Service
metadata:
  name: my-mono
  namespace: myapp
  labels:
    tier: backend
spec:
  selector:
    app: my-mono
    tier: backend
  ports:
    - port: 443
      name: https
      protocol: TCP

Deployment file is as 

apiVersion: apps/v1
kind: Deployment
metadata:
  name: my-mono
  namespace: myapp
spec:
  replicas: 1
  selector:
    matchLabels:
      app: my-mono
  template:
    metadata:
      labels:
        app: my-mono
    spec:
      containers:
      - name: my-mono
        image: myapacheimage
        imagePullPolicy: Never   
        ports:  
        - containerPort: 443

when i access my service using gateway it says

Bad Request
Your browser sent a request that this server could not understand.
Reason: You're speaking plain HTTP to an SSL-enabled server port.
Instead use the HTTPS scheme to access this URL, please.
Apache/2.4.38 (Debian) Server at 10.0.159.77 Port 443

i can confirm that apache is only listening on 443 and is properly configured

1
networkingkubernetesistio
using https in the url? - Arghya Sadhu
yes i am accessing with https - Shahid Mushtaq
Should protocol: TCP be HTTPS? - user1751825
10.0.159.77 is IP of what? - Arghya Sadhu
in service declaration it is not allowed and in service declaration for gateway it doesnt display any different result. - Shahid Mushtaq

1 Answers

0
votes

Your configuration uses the TLS termination on istio gateway. So the HTTPS traffic entering the istio ingress is decrypted to plain HTTP traffic before reaching Your service endpoint.

To fix this You need to configure HTTPS ingress access to an HTTPS service, i.e., configure an ingress gateway to perform SNI passthrough, instead of TLS termination on incoming requests.

You can find an example of Ingress Gateway without TLS Termination in istio documentation guide here.

Your Gateway and VirtualService should look something like this:

apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
  name: my-gateway-secure
  namespace: myapp
spec:
  selector:
    istio: ingressgateway # use istio default controller
  servers:
  - port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: PASSTHROUGH
    hosts:
    - "*"

apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
  name: my-gateway-service-secure
  namespace:myapp
spec:
  hosts:
  - "sub.domaincom"
  gateways:
  - my-gateway-secure
  tls:
  - match:
    - port: 443
      sni_hosts:
      - "sub.domaincom"
    route:
    - destination:
        host: my-mono
        port:
          number: 443

Hope it helps.