Closed kmccmk9 closed 5 years ago
Hello @kmccmk9 ,
Before going any further I would like to make sure we have the basics in place. If you have as allowed_hosts
the value "api.site.com"
KrakenD will make sure the request is coming from a host identified with exactly this name.
As you said you were using Postman, my first thought is that you are not forging the request header so Postman will be always identifying itself as "localhost" or similar. The easiest test you can do is to do a curl forging the header:
curl -H 'Host:api.site.com' https://api.site.com:8001/testing
Of course you can remove the allowed hosts from the configuration to do the test as well.
As a final note, if you intend to use krakend as the "api.site.com" the allowed hosts should have your clients hostnames, not krakend's. For instance client.site.com
. Unless of course you have everything in the same machine.
Please let me know if this works
Hi,
So I tried performing a curl request from command line with the Host header set and I have the same problem: "The underlying connection was closed: unexpected error occurred on a send". But once again it I send that same curl request over http instead it completes successfully.
I also tried removing my "allowed_hosts" configuration to see if it would help but that yielded the same exact set of results.
Ahhh... I think i misunderstood you the whole time! I was assuming something you didn't say...
The httpsecure package is a wrapper of the unrolled/secure package. It adds additional security when dealing with https requests, such as forcing the user to use https instead of http, prevent XSS, disallow connections from strange hosts, etc... but you need ALWAYS a SSL terminator in front of KrakenD-CE as it will listen ONLY in plain HTTP.
So, if you are connecting directly to KrakenD using HTTPS this won't work! You need the balancer or another piece acting as a terminator. For instance, in AWS we usually place an ELB in front of krakend that deals with the SSL, and then we use the middlware httpsecure for the rest of the https magic.
Good news is that KrakenD will support this by itself in the next release (before EOY) as we will add ListenAndServeTLS
Hope that now I got it right! 😊
Ok that makes much more sense. Sounds like for our particular use case we will wait for an update that includes ListenAndServe rather than running another instance of a HA Proxy, or similar configuration. Thank you for detailing that out. Small suggestion, that on the website and documentation, explain more about "Support SSL" out of the box. I find that very ambiguous as demonstrated from this GitHub issue haha. Thank you again, can't wait for the new release and giving it another evaluation.
Note taken. The whole site needs a revamp, specially the documentation (we need volunteers!)
I will let you know in this issue if the ListenAndServe can be tested before the release.
Hi @kmccmk9,
Version 0.6.1 is released and now you can add listening TLS.
Thanks!
This issue was marked as resolved a long time ago and now has been automatically locked as there has not been any recent activity after it. You can still open a new issue and reference this link.
Hello, I'm trying to see if this solution is viable for us. I'm trying get a basic fake api working over https. But I'm not even getting into the API gateway.
My configuration is as follows (generated from the online config tool):
My Output is as follows when running krakend in debug mode
In Postman if I send a request to https://api.site.com:8001/testing I get "Could not get any response" immediately. In the running display of KrakenD I have no connection attempt.
In Postman if I send a request to http://api.site.com:8001/testing I get the fake api response I expected. and I see the debug print out as you can see in my output snippet above. Why is this not accepting SSL connections? I noticed in my startup there is one ERROR that is listed as "Unable to load custom config from the extra config". Not sure if that is of use?