fabiolb / fabio

Consul Load-Balancing made simple
https://fabiolb.net
MIT License
7.27k stars 616 forks source link

Postgres TCP proxy TLS issues #484

Open tino opened 6 years ago

tino commented 6 years ago

I'm trying to proxy Postgres and have fabio terminate the TLS.

Config:

FABIO_proxy_addr: ":80,:443;cs=somo,:5432;proto=tcp;cs=somo"
FABIO_proxy_cs: "cs=somo;type=path;cert=/certs"

(works fine on https)

route add geodb :5432 http://10.0.0.19:5432/ opts "proto=tcp"

This doesn't work:

⌘ psql -h geodb.myserver.nl
psql: received invalid response to SSL negotiation:

Fabio logs: 2018/04/16 17:15:46 [WARN]: tcp: tls: first record does not look like a TLS handshake

What to do? 😗

magiconair commented 6 years ago

Is this using TLS 1.2?

tino commented 6 years ago

I really don't know. From what I read psql (client and server) find the highest supported version by both. But it's fabio that takes care of the TLS, I haven't set up anything in the postgres server config.

Any suggestion on things to check?

magiconair commented 6 years ago

You can try the handshake with openssl s_client -connect geodb.myserver.nl:5432 and see whether that works. If you are on a Mac you might need to install a newer version with homebrew and use /usr/local/opt/openssl/bin/openssl since only there you have the -tls1_2 option.

JonathanAcademic commented 5 years ago

Any update on this? Did you manage to get it working? We seem to have encountered similar issue.

Our Config file on Fabio, with a wildcard cert from Let´s Encrypt:

proxy.cs=cs=certstore;type=file;cert=/.acme.sh/fullchain.cer;key=/.acme.sh/example.com.key
proxy.addr=:80;proto=http,:443;cs=certstore,:4222;proto=tcp;cs=certstore

With tags in Consul, we can see that routes is being created:

+ route add nats :4222 http://10.5.10.74:4222/
+ route add nats :4222 http://10.5.10.72:4222/
+ route add nats :4222 http://10.5.10.68:4222/

Our set up looks like this:

                      TCP:4222            TCP:4222
+-----------+            +-------+           +------------+
|NATS Client| +------->  | Fabio | +------>  |NATS Cluster|
+-----------+            +-------+           +------------+
                 SSL Let's Encrypt      SSL Self Signed

The problem we encounter is that as soon as we enable TLS with ;cs=certstore the client can't connect and we get the following error:

read tcp 192.168.15.102:59762-> <Fabio public ip> :4222: i/o timeout (Public IP hidden)
exit status 1

If we don't terminate SSL at Fabio we can connect to the NATS cluster via fabio

pschultz commented 5 years ago

Are you running 1.5.11? TCP was broken since 1.5.8 (#524), and the symptoms you describe fit that bug.

JonathanAcademic commented 5 years ago

We're running with version 1.5.7

Edit: I'm quite certain i've found the problem in our case. https://github.com/nats-io/node-nats/issues/232 Seems that the initial handshake of NATS is and has to be non-TLS

ccakes commented 5 years ago

For people stumbling across this thread via Google search, the issue is that Postgres clients negotiate TLS with the server directly. The client expects a non-TLS handshake prior to upgrading so terminating TLS at a proxy like fabio won't work.

Interested to hear if someone has worked a way around this but as far as I know, it's not possible