This is my haproxy:
frontend es_front
bind 127.0.0.1:9200
mode tcp
option tcplog
default_backend es_backend
backend es_backend
mode tcp
option tcplog
balance roundrobin
server es-1 vpc-es-.eu-central-1.es.amazonaws.com:443 check ssl verify none
Here is my error:
curl -XGET 'https://127.0.0.1:9200/_cluster/health?'
curl: (35) gnutls_handshake() failed: An unexpected TLS packet was received.
So how do I deal with ES on aws with haproxy?
Thanks
ssl verify none tells HAProxy to terminate the TLS session toward the back-end. If this is used, but the front end does not also have ssl on the bind line, then you are telling HAProxy to return cleartext, not TLS, back to the browser.
Remove ssl verify none ... or access the proxy with HTTP, not HTTPS, in your curl URL.
Related
I've done this a dozen times before but this time, I cannot seem to connect to my web server using HTTPS. I created an AWS EKS cluster using eksctl. I deployed my deployments and services using kubectl. I have service URLs which are resolving on port 80.
I take the service URL's, put them in CNAME records, and Cloudflare resolves via http but not https. I get 521 errors, when I accept connections on port 443 in my Kubernetes services, I get SSL handshake errors.
The thing that confuses me is I thought Cloudflare provided an SSL layer but using my service URLs on port 80. It seems though that it's redirecting requests from cloudflare:443 to my-eks-cluster:443.
How do I debug this further to get some insight into what is going on ?
Since your cluster works and accepts traffic, then the most probable reason is that Encription mode is enabled in yours Cloudflare config.
And, according to your post, you are going to disable https at all on the origin side:
The thing that confuses me is I thought Cloudflare provided an SSL layer but using my service URLs on port 80. It seems though that it's redirecting requests from cloudflare:443 to my-eks-cluster:443.
So, you may want to check SSL settings to be sure that current Encription mode is Off
As per Cloudlare documentation:
Encryption modes · Cloudflare SSL docs
Mode Off
Setting your encryption mode to Off (not recommended) redirects any HTTPS request to plaintext HTTP.
I Created an EC2 instance that is running perfectly over http.but when i try to replace http to https i got this printed on the browser This site can’t provide a secure connection. the security group that is associated to this instance is configured to allow requests from both HTTP and HTTPS as in the attached image:
You are trying to run https over a port that has been configured for HTTP.
There are multiple options to get around this:
Setup a proxy on your local server, such as Nginx. Setup certbot to generate your SSL and then serve this from your proxy.
Create an ELB in front of your server, generate a certificate in ACM and add your server as a target (running http) to the ELB. Use the load balancer for SSL termination.
Create a CloudFront distribution in front of your server, generate a certificate in ACM and forward traffic to your server as the origin (running http).
I have created a certificate with Powershell:
New-SelfSignedCertificate -DnsName "localhost" -CertStoreLocation "cert:\LocalMachine\My"
I have copied the certificate to trusted root certification authorities
I have enabled certificate binding in IIS
Now if I access localhost from chrome I see the ssl connection correctly
however, if I start the connection from the web application I get the following error:
The SSL connection could not be established, see inner exception.
Request text: https://localhost/webservice/api/ImboundCall/?Telephone=5551234
System.Net.Http.HttpRequestException: The SSL connection could not be established, see inner exception.
System.Security.Authentication.AuthenticationException: The remote certificate is invalid according to the validation procedure
even with Postman same message
We have a GCP GKE setup with traefik as our ingress.
The problem is that when we hit (http GET) the IP of our LB, traefik responds with the TRAEFIK DEFAULT CERT (Self signed root certificate).
Can we configure traefik so that it doesn't respond at all, or at least it responds without an invalid certificate?
Strict SNI checking solves this partially by dropping the connection in the case of invalid certificate: https://docs.traefik.io/configuration/entrypoints/#strict-sni-checking
I was looking for some guide that configures traefik and it response as your needs. Following these examples, you should be able to configure it without using a cert, especially for port 80.
Some configuration examples of Traefik[https://docs.traefik.io/user-guide/examples/]
I have a AWS LoadBalancer which created using Kube, Kops and AWS.
protocl type for the ELB is tcp. this work fine for http requests, means I can access my site with http://testing.example.com. Now I tried to add SSL for this ELB using ACM (Certificate manager). I added my Domain details example.com and *.example.com by requesting a public Certificate. it created successfully and domain validation is also success.
Then I tried to add this ssl to my ELB like below.
went to my ELB and selected the ELB.
Then went to Listeners tab and Added SSL to it like below.
and ELB description is like below.
I cannot access the https://testing.example.com, it hangs for few minutes and nothing happens. what is going on here. hope your help with this.
In the Listener configuration, you are forwarding the default HTTP port 80 to port 30987 on the back-end server. So this tells me that the back-end server is listening for HTTP requests on port 30987.
You then added an SSL listener on the default port 443 but you are forwarding that to port 443 on the back-end server. Do you have something on your back-end listening on port 443 in addition to 30987?
The most likely fix for this is to change the SSL listener on the load balancer to forward to port 30987 on the back-end by setting that as the "Instance Port" setting.
If your backend application (that sits behind the ELB) only listens on HTTP port 30987 then you need some layer of TLS termination before your app server.
More food for thought on this approach:
https://security.stackexchange.com/questions/30403/should-ssl-be-terminated-at-a-load-balancer
Or you need to tweak your backend app server to also listen on an HTTPS / TLS context, in a different port (which you must map in your ELB configuration).
BTW, I would also suggest to switch to and ALB or an NLB.
More info: https://medium.com/cognitoiq/how-cognitoiq-are-using-application-load-balancers-to-cut-elastic-load-balancing-cost-by-90-78d4e980624b
Once you finish the setup of whatever suggestion you picked, run curl -k -I https://testing.example.com/ to check whether of not you are getting blocked by the ELB.