search

krakend / krakend-ce

KrakenD Community Edition: High-performance, stateless, declarative, API Gateway written in Go.
https://www.krakend.io
Apache License 2.0
1.92k stars 451 forks source link

SSL Not functioning #36

Closed kmccmk9 closed 5 years ago

kmccmk9 commented 6 years ago

Hello, I'm trying to see if this solution is viable for us. I'm trying get a basic fake api working over https. But I'm not even getting into the API gateway.

My configuration is as follows (generated from the online config tool):

{
  "version": 2,
  "port": 8001,
  "extra_config": {
    "github_com/devopsfaith/krakend-httpsecure": {
      "allowed_hosts": [
        "api.site.com"
      ],
      "ssl_proxy_headers": {
        "X-Forwarded-Proto": "https"
      },
      "ssl_redirect": true,
      "ssl_certificate": "/opt/gateway/certs/site.crt",
      "ssl_private_key": "/opt/gateway/certs/site.key",
      "sts_include_subdomains": true,
      "ssl_host": "api.site.com"
    }
  },
  "host": [
    "https://api.site.com"
  ],
  "output_encoding": "json",
  "timeout": "3000ms",
  "cache_ttl": "300s",
  "name": "My API Gateway",
  "endpoints": [
    {
      "endpoint": "/testing",
      "method": "GET",
      "output_encoding": "json",
      "concurrent_calls": 1,
      "extra_config": {
        "github.com/devopsfaith/krakend/proxy": {
          "static": {
            "data": {
              "new_field_a": 123,
              "new_field_b": [
                "arr1",
                "arr2"
              ],
              "new_field_c": {
                "obj": "obj1"
              }
            },
            "strategy": "always"
          }
        }
      },
      "backend": [
        {
          "url_pattern": "/",
          "encoding": "json",
          "extra_config": {},
          "sd": "static"
        }
      ]
    }
  ]
}

My Output is as follows when running krakend in debug mode

root@vastyk:/etc/krakend# krakend run -c krakend.json -d
Parsing configuration file: krakend.json
 ERROR: unable to create the gologgin logger: getting the extra config for the krakend-gologging module
 WARNING: building the etcd client: unable to create the etcd client: no config
 DEBUG: creating a new influxdb client
 DEBUG: no config fot the influxdb client. aborting
 ERROR: Unable to load custom config from the extra config
 ERROR: opencensus: no extra config defined for the opencensus module
 INFO: no config for the bloomfilter map[github_com/devopsfaith/krakend-httpsecure:map[allowed_hosts:[] ssl_redirect:true ssl_certificate:/opt/gateway/certs/site.crt ssl_private_key:/opt/gateway/certs/site.key ssl_host:api.site.com]]
 ERROR: registering the BloomFilter: no config for the bloomfilter
[GIN-debug] [WARNING] Running in "debug" mode. Switch to "release" mode in production.
 - using env:   export GIN_MODE=release
 - using code:  gin.SetMode(gin.ReleaseMode)

 DEBUG: Debug enabled
[GIN-debug] GET    /__debug/*param           --> github.com/devopsfaith/krakend-ce/vendor/github.com/devopsfaith/krakend/router/gin.DebugHandler.func1 (4 handlers)
[GIN-debug] POST   /__debug/*param           --> github.com/devopsfaith/krakend-ce/vendor/github.com/devopsfaith/krakend/router/gin.DebugHandler.func1 (4 handlers)
[GIN-debug] PUT    /__debug/*param           --> github.com/devopsfaith/krakend-ce/vendor/github.com/devopsfaith/krakend/router/gin.DebugHandler.func1 (4 handlers)
 ERROR: JOSE: no signer config /testing
[GIN-debug] GET    /testing                  --> github.com/devopsfaith/krakend-ce/vendor/github.com/devopsfaith/krakend/router/gin.CustomErrorEndpointHandler.func1 (4 handlers)
[GIN] 2018/09/11 - 18:41:36 | 200 |  116.989573ms |    207.99.59.82 |  GET     /testing

In Postman if I send a request to https://api.site.com:8001/testing I get "Could not get any response" immediately. In the running display of KrakenD I have no connection attempt.

In Postman if I send a request to http://api.site.com:8001/testing I get the fake api response I expected. and I see the debug print out as you can see in my output snippet above. Why is this not accepting SSL connections? I noticed in my startup there is one ERROR that is listed as "Unable to load custom config from the extra config". Not sure if that is of use?

alombarte commented 6 years ago

Hello @kmccmk9 ,

Before going any further I would like to make sure we have the basics in place. If you have as allowed_hosts the value "api.site.com" KrakenD will make sure the request is coming from a host identified with exactly this name.

As you said you were using Postman, my first thought is that you are not forging the request header so Postman will be always identifying itself as "localhost" or similar. The easiest test you can do is to do a curl forging the header:

curl -H 'Host:api.site.com'  https://api.site.com:8001/testing

Of course you can remove the allowed hosts from the configuration to do the test as well.

As a final note, if you intend to use krakend as the "api.site.com" the allowed hosts should have your clients hostnames, not krakend's. For instance client.site.com. Unless of course you have everything in the same machine.

Please let me know if this works

kmccmk9 commented 6 years ago

Hi,

So I tried performing a curl request from command line with the Host header set and I have the same problem: "The underlying connection was closed: unexpected error occurred on a send". But once again it I send that same curl request over http instead it completes successfully.

I also tried removing my "allowed_hosts" configuration to see if it would help but that yielded the same exact set of results.

alombarte commented 6 years ago

Ahhh... I think i misunderstood you the whole time! I was assuming something you didn't say...

The httpsecure package is a wrapper of the unrolled/secure package. It adds additional security when dealing with https requests, such as forcing the user to use https instead of http, prevent XSS, disallow connections from strange hosts, etc... but you need ALWAYS a SSL terminator in front of KrakenD-CE as it will listen ONLY in plain HTTP.

So, if you are connecting directly to KrakenD using HTTPS this won't work! You need the balancer or another piece acting as a terminator. For instance, in AWS we usually place an ELB in front of krakend that deals with the SSL, and then we use the middlware httpsecure for the rest of the https magic.

Good news is that KrakenD will support this by itself in the next release (before EOY) as we will add ListenAndServeTLS

Hope that now I got it right! 😊

kmccmk9 commented 6 years ago

Ok that makes much more sense. Sounds like for our particular use case we will wait for an update that includes ListenAndServe rather than running another instance of a HA Proxy, or similar configuration. Thank you for detailing that out. Small suggestion, that on the website and documentation, explain more about "Support SSL" out of the box. I find that very ambiguous as demonstrated from this GitHub issue haha. Thank you again, can't wait for the new release and giving it another evaluation.

alombarte commented 6 years ago

Note taken. The whole site needs a revamp, specially the documentation (we need volunteers!)

I will let you know in this issue if the ListenAndServe can be tested before the release.

alombarte commented 5 years ago

Hi @kmccmk9,

Version 0.6.1 is released and now you can add listening TLS.

Thanks!

github-actions[bot] commented 2 years ago

This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.