spring-cloud / spring-cloud-gateway

An API Gateway built on Spring Framework and Spring Boot providing routing and more.
http://cloud.spring.io
Apache License 2.0
4.52k stars 3.32k forks source link

Add a way to disable ProxyExchange hostname verification #346

Open fitzoh opened 6 years ago

fitzoh commented 6 years ago

I'm attempting to use gateway to bypass a load balancer and proxy a prometheus scrape request. I'm hitting an IP address directly, and setting the host header that the server is expecting.

This causes ssl issues.

I attempted to set spring.cloud.gateway.httpclient.ssl.use-insecure-trust-manager=true which got me past the initial error, but it now fails hostname verification:

  Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 1.2.3.4 found
     at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168) ~[na:1.8.0_162]
     at sun.security.util.HostnameChecker.match(HostnameChecker.java:94) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[na:1.8.0_162]
     at org.cloudfoundry.security.FileWatchingX509ExtendedTrustManager.checkServerTrusted(FileWatchingX509ExtendedTrustManager.java:73) ~[container_security_provider-1.11.0_RELEASE.jar:1.11.0.RELEASE]
venkatesh010 commented 4 years ago

@fitzoh As a work around you can create a custom configuration for netty HttpClient and then set SNIMatcher to true for all conditions which skips dns verification and gets you going

and @spencergibb we can add a flag in HttpClientProperties.java for SAN verification enabling or disabling

spencergibb commented 4 years ago

None of those have any bearing on ProxyExchange