New to Voyager? Please start here.
SSL Passthrough
The annotation ingress.appscode.com/ssl-passthrough allows to configure TLS termination in the backend and not in haproxy. When set to true, passes TLS connections directly to backend.
If ssl-passthrough is used, HAProxy will use tcp. For more details see here. When ssl-passthrough is enabled, Voyager automatically converts your HTTP ingress rules to TCP rules.
Please note that following features are not supported when using ssl-passthrough:
- Multiple paths for HTTP rules.
headerRulesandrewriteRulesfor backends.- Specifying TLS for TCP rules. So even if you define
spec.tlsfor your HTTP hosts, it will be ignored.
Voyager will not modify your existing TCP rules. Instead it will cause a validation error if TLS defined for existing TCP rules on same port. In that case, you have to either ensure TCP hosts do not match with spec.tls or, just set noTLS=true for those TCP rules.
Ingress Example
apiVersion: voyager.appscode.com/v1
kind: Ingress
metadata:
name: test-ingress
namespace: default
annotations:
ingress.appscode.com/ssl-passthrough: "true"
spec:
rules:
- host: voyager.appscode.test
http:
port: 8443
paths:
- path: /foo
backend:
service:
name: test-server
port:
number: 443
Generated haproxy.cfg:
# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!
global
daemon
stats socket /var/run/haproxy.sock level admin expose-fd listeners
server-state-file global
server-state-base /var/state/haproxy/
# log using a syslog socket
log /dev/log local0 info
tune.ssl.default-dh-param 2048
ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK
lua-load /etc/auth-request.lua
hard-stop-after 30s
defaults
log global
# https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
# https://github.com/voyagermesh/gateway-docs/pull/403
option dontlognull
option http-server-close
# Timeout values
timeout client 50s
timeout client-fin 50s
timeout connect 5s
timeout server 50s
timeout tunnel 50s
# Configure error files
# default traffic mode is http
# mode is overwritten in case of tcp services
mode http
frontend tcp-0_0_0_0-8443
bind *:8443
mode tcp
default_backend test-server.default:443
backend test-server.default:443
mode tcp
server pod-test-server-777ccbbc49-g7q6t 172.17.0.4:6443
Now check the response:
$ minikube service --url voyager-test-ingress
http://192.168.99.100:31692
$ curl -k https://192.168.99.100:31692
{"type":"http","host":"192.168.99.100:31692","serverPort":":6443","path":"/","method":"GET","headers":{"Accept":["*/*"],"User-Agent":["curl/7.47.0"]}}