search

fabiolb / fabio

Consul Load-Balancing made simple
https://fabiolb.net
MIT License
7.27k stars 616 forks source link

Connecting to HTTPS Upstream service. #738

Closed sidvanarse closed 4 years ago

sidvanarse commented 4 years ago

I have my secure service running on HTTPs using following options.

new HttpServerOptions().
        setSsl(true).
        setClientAuth(ClientAuth.required).
        setKeyStoreOptions(
            new JksOptions().
                setPath("Certificate.jks").
                setPassword("password")

        ).
        setTrustStoreOptions(
            new JksOptions().
                setPath("ca_cs_combined_prod.jks").
                setPassword("password")
        )

When i connect to my service at https:\localhost:8080\getToken using chrome i get pop up to select certificate and after selecting certificate i am able to call this service fine.

I have registered my service in consul with proto=https option.

But i am unable to call this service using fabio. My use case here is service registered in Consul is HTTPs and fabio is runing with HTTP and not as HTTPs. Is it possible to call this upstream HTTPs service such as http:\localhost:9999\getToken. How to use jks certificates with fabio?

With current set up of i try to query my HTTPS upstream service using fabio i am getting folowwing error: cannot validate certificate for ipadress because it doesn't contain any ip sans

sidvanarse commented 4 years ago

I have converted my jks keystore to pem now when i do cs=cert;type=file;cert=certificate.pem;clientca=ca_cs_combined.pem i get following error:

found a certificate rather than a key in the pem

Please advice. All i want is - my HTTPS service needs client side auth. I am able to call HTTPs service which does not require client side AUTH through fabio. But i am struggling with calling HTTPS service which needs client authentication from Fabio. How to do it?

pschultz commented 4 years ago

fabio doesn't support authenticating to backends (TLS or otherwise).

My use case here is service registered in Consul is HTTPs and fabio is runing with HTTP

All i want is - my HTTPS service needs client side auth.

Which is it? The former can't be done when the backend requires TLS auth. The latter can be done by using a TCP proxy instead of an HTTP(S) proxy (i.e. fabio's client authenticates directly with the backend), but you can't do routing decisions based on the HTTP request, of course.

sidvanarse commented 4 years ago

Does this mean that we cant call HTTPS service which needs client AUTH from fabio?

sidvanarse commented 4 years ago

FYI i am able to call my HTTPS service which needs client AUTH directly and it works fine. I am not sure how to do it using Fabio

pschultz commented 4 years ago

Does this mean that we cant call HTTPS service which needs client AUTH from fabio?

Yes. As I was saying, fabio doesn't support authenticating to backends (TLS or otherwise).

Does this mean that we cant call HTTPS service which needs client AUTH from fabio?

Not with an HTTP(S) proxy. You can use a TCP proxy but then authentication has to be done downstream.

aaronhurt commented 4 years ago

@sidvanarse Please re-open if you still have questions after the above conversation.