search

microsoft / reverse-proxy

A toolkit for developing high-performance HTTP reverse proxy applications.
https://microsoft.github.io/reverse-proxy
MIT License
8.49k stars 836 forks source link

Hostname validation against server's certificate for HTTPs Ingress backends #2137

Open specialforest opened 1 year ago

specialforest commented 1 year ago

When Ingress backend uses HTTPs request forwarding fails with something like:

System.Net.Http.HttpRequestException: 'The SSL connection could not be established, see inner exception.'
AuthenticationException: The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch

This happens because the ingress controller resolves the backend service to a set of endpoints which are IP addresses. ClusterConfig.Destinations in turn has addresses with just IPs. When forwarding the request there is no information about the destination hostname and therefore server's certificate validation fails.

There are couple workarounds:

  1. Use HttpClientConfig.DangerousAcceptAnyServerCertificate
  2. Define a transform on the ingress rule to set Host header: 
    annotations:
yarp.ingress.kubernetes.io/transforms: |
  - RequestHeader: Host
    Set: "my.backend.hostname"

I'm creating this for awareness for others running into the same issue and to discuss if there is anything can be done for it to just work.

MihaZupan commented 1 year ago

Thanks for filing the issue. It feels like we should be adding such a transform by default, both to enable cert validation and properly flow SNI to the service.

jonmikeli commented 7 months ago

Hi @specialforest,

I'm having a similar issue. I've tried to use the HttpClient.DangerousAcceptAnyServerCertificate property but I don't manage to make it work. Still getting the same SSL issue.

The remote certificate is invalid according to the validation procedure: RemoteCertificateNameMismatch, RemoteCertificateChainErrors

When using this setting, is there something else to be done to make it work?

kr