Feature Request: Ability to allow upstream TLS in addition to ingress TLS termination

microsoft / azure-container-apps

Roadmap and issues for Azure Container Apps

MIT License

374 stars 29 forks source link

Feature Request: Ability to allow upstream TLS in addition to ingress TLS termination #705

Open matt-psaltis-work opened 1 year ago

matt-psaltis-work commented 1 year ago

Is your feature request related to a problem? Please describe.
We want to enable HTTPs endpoints on our .net core apps hosted in container apps. Currently if you do this, with a HTTPs ingress, the ingress cannot hand off the request instead returning a upstream connect error or disconnect/reset before headers. retried and the latest reset reason: connection termination

Describe the solution you'd like.
The ability to allow self signed or in the case of say Let's Encrypt certificates, the ability to ignore name mismatches on the upstream endpoints.

Describe alternatives you've considered.
We've had to turn off TLS on the upstream application in the containers.

Additional context.
Add any other context or screenshots about the feature request here. Works correctly if exposed using a TCP ingress.

vturecek commented 1 year ago

@matt-psaltis-work is encryption in transit within your Container Apps Environment your only requirement here, or do you need something more (for example, client certificate validation)?

matt-psaltis-work commented 1 year ago

@vturecek Just encryption in transit. The upstream service cannot be configured with HTTP and must therefore also terminate TLS

tslavik commented 1 year ago

ivanthelad commented 1 year ago

torosent commented 1 year ago

Hi, would mTLS work for you? you just need to enable it and all the environment traffic between apps and ingress is encrypted for you. https://learn.microsoft.com/en-us/azure/container-apps/networking?tabs=azure-cli#mtls

ivanthelad commented 1 year ago

@torosent in my case it wouldn't. The containers that are running come with their own self signed certs. Some of these are generated on the fly. One of our motivations is not having to modify the container images(migrations from another platform). My guess is that this mTLS would not change the ACA ingress not trusting the cert exposed on the backend, right?

jeremywadsack commented 1 year ago

As encryption-in-transit is a basic security expectation these days (by SOC 2 standards and most B2B business requirements), it seems like this would be a high priority to resolve this. While mTLS is one solution it would be simpler if the ingress could just run HTTPS checks.

ahmelsayed commented 2 months ago

You can set targetPortHttpScheme: https on the ingress in api-version >= 2024-08-02-preview