We have a GCP GKE setup with traefik as our ingress.
The problem is that when we hit (http GET) the IP of our LB, traefik responds with the TRAEFIK DEFAULT CERT (Self signed root certificate).
Can we configure traefik so that it doesn't respond at all, or at least it responds without an invalid certificate?
Strict SNI checking solves this partially by dropping the connection in the case of invalid certificate: https://docs.traefik.io/configuration/entrypoints/#strict-sni-checking
I was looking for some guide that configures traefik and it response as your needs. Following these examples, you should be able to configure it without using a cert, especially for port 80.
Some configuration examples of Traefik[https://docs.traefik.io/user-guide/examples/]
Related
I've done this a dozen times before but this time, I cannot seem to connect to my web server using HTTPS. I created an AWS EKS cluster using eksctl. I deployed my deployments and services using kubectl. I have service URLs which are resolving on port 80.
I take the service URL's, put them in CNAME records, and Cloudflare resolves via http but not https. I get 521 errors, when I accept connections on port 443 in my Kubernetes services, I get SSL handshake errors.
The thing that confuses me is I thought Cloudflare provided an SSL layer but using my service URLs on port 80. It seems though that it's redirecting requests from cloudflare:443 to my-eks-cluster:443.
How do I debug this further to get some insight into what is going on ?
Since your cluster works and accepts traffic, then the most probable reason is that Encription mode is enabled in yours Cloudflare config.
And, according to your post, you are going to disable https at all on the origin side:
The thing that confuses me is I thought Cloudflare provided an SSL layer but using my service URLs on port 80. It seems though that it's redirecting requests from cloudflare:443 to my-eks-cluster:443.
So, you may want to check SSL settings to be sure that current Encription mode is Off
As per Cloudlare documentation:
Encryption modes ยท Cloudflare SSL docs
Mode Off
Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.
I was using an EC2 instance of AWS and deploy my app on root through HTTP.
Now I migrated to HTTPs but the app does not load correctly. But I cant see any errors on chrome developers tools. The only thing I noticed different is that there is a lot of connections (350) made to the root that is where I deployed the app. I suspect is because the change of https. To made my app HTTPs I am using a load balancer of AWS and the aws certificate manager. Sorry for my english.
Image 1
when you add SSL certificates to the Application Load Balancer, the encryption and decryption of the request is taken care of by the ALB. Read more about this here. This means that your app can operate normally and should not be concerned with the request policy.
You can create a target group and point both HTTP (port 80) and HTTPS (port 443) traffic to the same target group.
Coming to your question. It seems like you are having difficulty in connecting to the ALB on port 443 (HTTPS). If your application is working as expected on port 80 (HTTP) follow this checklist to zero down on your problem:
Make sure that the security group of the ALB allows port 443 to your users or to the world
Check if the ALB has a listener configured on port 443. Read more about this in the docs here
Check if this listener points to the application target group.
As a last step, if you are using a domain name, make sure that it is pointing to the ALB and not the origin servers (EC2 in this case)
If you would like to get better understanding of how the request flows from the users instance to your application server, I've answered a simmilar question here.
I am using kops to deploy my kubernetes cluster. in my cluster, I have a simple Nginx deployment, a service, and an ingress. Its configured with route 53 (not using external DNS, manually creating A record in route 53 pointing to a classic load balancer (generated by kops)).
I can hit the domain www.XXXX.com as well as a subdomain on it but, there is not SSL certificate on it.
I know we can apply SSL on the loadbalancer. So, went in ACM, created a certificate and when I try to apply it, I see 80 and 443 are serving TCP traffic, that's why I cannot add these two ports serving HTTP and HTTPS with certificate (as shown in image)
If I delete the two TCP listeners and add HTTP and HTTPS listners I can, but then my app is not reachable on the domain.
How can I configure ACM on this loadbalancer. Is this even a correct way of adding https for an app deployed on Kubernetes?
I know about https://kubernetes.github.io/ingress-nginx/user-guide/tls/, but if there is a way to do it using above approach I would prefer that.
UPDATE 1:
when I describe my nginx pod I see Ports as follows:
Ports: 80/TCP, 443/TCP
shouldn't that be
Ports: 80/HTTP, 443/HTTPS
?
Turns out I deployed the ingress controller incorrectly.
the documentation clearly says download and update values in the file before applying I missed the updating part.
You have to update CIDR proxy-real-ip-cidr and service.beta.kubernetes.io/aws-load-balancer-ssl-cert
literally that all you need.
make sure you are creating a certificate before applying this YAML file.
and while creating cert add
DOMAIN.com
*.DOMAIN.com
both to make it work.
I have a AWS LoadBalancer which created using Kube, Kops and AWS.
protocl type for the ELB is tcp. this work fine for http requests, means I can access my site with http://testing.example.com. Now I tried to add SSL for this ELB using ACM (Certificate manager). I added my Domain details example.com and *.example.com by requesting a public Certificate. it created successfully and domain validation is also success.
Then I tried to add this ssl to my ELB like below.
went to my ELB and selected the ELB.
Then went to Listeners tab and Added SSL to it like below.
and ELB description is like below.
I cannot access the https://testing.example.com, it hangs for few minutes and nothing happens. what is going on here. hope your help with this.
In the Listener configuration, you are forwarding the default HTTP port 80 to port 30987 on the back-end server. So this tells me that the back-end server is listening for HTTP requests on port 30987.
You then added an SSL listener on the default port 443 but you are forwarding that to port 443 on the back-end server. Do you have something on your back-end listening on port 443 in addition to 30987?
The most likely fix for this is to change the SSL listener on the load balancer to forward to port 30987 on the back-end by setting that as the "Instance Port" setting.
If your backend application (that sits behind the ELB) only listens on HTTP port 30987 then you need some layer of TLS termination before your app server.
More food for thought on this approach:
https://security.stackexchange.com/questions/30403/should-ssl-be-terminated-at-a-load-balancer
Or you need to tweak your backend app server to also listen on an HTTPS / TLS context, in a different port (which you must map in your ELB configuration).
BTW, I would also suggest to switch to and ALB or an NLB.
More info: https://medium.com/cognitoiq/how-cognitoiq-are-using-application-load-balancers-to-cut-elastic-load-balancing-cost-by-90-78d4e980624b
Once you finish the setup of whatever suggestion you picked, run curl -k -I https://testing.example.com/ to check whether of not you are getting blocked by the ELB.
I am working on docker swarm and aws. I am not having much idea in it.
Please correct me if my question is wrong and kindly help me to solve my problem.
I have my docker swarm cluster running in AWS under a loadbalancer.
I created a certificate from Amazon certificate Manager for https to my load balancer.
In loadbalancer tab under listener if I set https for load balancer protocol and http to instance protocol like below, when I type https://website-url in the browser it automatically redirects to http.
LoadBalancerProtocol LoadBalancerPort InstanceProtocol InstancePort Cipher SSL Certificate
HTTPS 443 HTTP 80 Change 6e7528d6-8261-4d61-b1d3-3c2548e1b575 (ACM) Change
But I want the website to be run as https not as http.
So I changed like below. That is making Instance port and its protocol as 443 and https.
LoadBalancerProtocol LoadBalancerPort InstanceProtocol InstancePort Cipher SSL Certificate
HTTPS 443 HTTPS 443 Change 6e7528d6-8261-4d61-b1d3-3c2548e1b575 (ACM) Change
But After this https://website-url is continuously running without any response in the browser.
After doing some search, I came to know that ACM certificate only works for load balancer not for backend instance.
That is for instance level I need to enable https for apache.
The docker swarm cluster has 1 manager and 3 worker nodes. All the host instance OS is Alpine OS. The containers inside the nodes are Centos-7.
The containers are running as a service in the cluster.
Please guide me on this,
Do I need to configure self signed certificate for apache inside the container or on the host instance.
I want my website to be run as https not http.
Kindly show me What are the steps required.
Thanks
The load balancer port is what people talk to your load balancer on, so load balancer port 80 and 443 is correct.
The instance port is what port the load balancer talks to your webserver on. In this case for you both should be 80, unless your webserver is listening on 443 with a valid SSL cert (Not the case as you are using an AWS cert.)
Then in your code or your webserver what you need to do is check the X-Forwarded-Proto header http://docs.aws.amazon.com/elasticloadbalancing/latest/classic/x-forwarded-headers.html and if it's not https re-direct to https.
https://www.allcloud.io/how-to/how-to-force-https-behind-aws-elb/ has a couple examples.