search

fabiolb / fabio

Consul Load-Balancing made simple
https://fabiolb.net
MIT License
7.26k stars 616 forks source link

[question] URL for TLS destination #850

Closed hilayc closed 2 years ago

hilayc commented 2 years ago

Hello,

In my application, I want to use Fabio in order to forward HTTPS API to a 3rd party BE (MinIO), on a Windows server. I followed the instructions on this page: https://fabiolb.net/feature/https-tcp-sni-proxy/

I'm running Fabio with the following arguments: fabio.exe -proxy.addr :443;proto=https+tcp+sni;cs=consul-cs -proxy.cs cs=consul-cs;type=consul;cert=http://localhost:8500/v1/kv/certs/

I used this tag urlprefix-minio.domain.com proto=https for the MinIO registration to Fabio, but Fabio make the request to https://ip:port, so MinIO is sending an error that the certificate doesn't match with the request, because it receives an ip instead of a url. I'm using Consul as a certificate store and I have a wildcard certificate matching both Fabio and the MinIO's domains.

I know I can use the tlsskipverify option but I prefer to avoid it if possible.

I need somehow to tell Fabio to send its requests with a url. How can I accomplish that?

Thank you very much

moshemarciano commented 2 years ago

Interesting. So Fabio always uses IP addresses and not the host/url domain name?

Isn’t that expected to fail TLS verification?

Can anyone confirm this is indeed a Fabio limitation?

tristanmorgan commented 2 years ago

if you use the tag urlprefix-minio.domain.com/ proto=tcp for the service then Fabio will passthrough the TLS client-hello with the minio.domain.com SNI and the backend should then be happy with the matching name. I tried testing with urlprefix-minio.domain.com/ proto=tcp host=minio.domain.com but Fabio still used the ip:port registered in Consul to connect (and failed because of missing IP sans).

nathanejohnson commented 2 years ago

Sorry to pop in late to this conversation, but fabio uses the consul service registration address. The urlprefix on domain names is just for sni matching inbound. I suspect if the consul service registration used the domain name versus the IP, it would likely work, however that's a moot point if that dns name is pointing at fabio. I can imagine a useful feature being to be able to use the urlprefix domain as the sni name on the client connection instead of the IP, but that is not how it works today. That said, if minio has a valid certificate, you can just do proto=tcp as @tristanmorgan suggested.