|Summary:||[RFE] TLS termination for arbitrary TCP (non-HTTP) services|
|Component:||Routing||Assignee:||Ben Bennett <bbennett>|
|Status:||CLOSED DEFERRED||QA Contact:||zhaozhanqi <zzhao>|
|Version:||3.x||CC:||aos-bugs, ccoleman, jawnsy, mifiedle, ppatiern|
|Fixed In Version:||Doc Type:||If docs needed, set a value|
|Doc Text:||Story Points:||---|
|Last Closed:||2017-01-04 20:14:02 UTC||Type:||Bug|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
|Cloudforms Team:||---||Target Upstream Version:|
Description ppatiern 2017-01-04 11:18:40 UTC
Description of problem: The current TLS "edge" termination doesn't support a non HTTP service as backend. How reproducible: Steps to Reproduce: 1. Having a route with configured "edge" TLS termination (and related certificates) 2. Having a "pure" TCP (non HTTP) service as destination of the above route 3. Try to communicate using the above route with the destination service Actual results: The TLS handshake works well but then the HAProxy replies with an HTML page (with bad request information) Expected results: The encrypted traffic is decrypted through the router and sent to the destination service unencrypted.
Comment 1 Clayton Coleman 2017-01-04 15:57:49 UTC
If this is possible with HAProxy it seems reasonable to have edge terminate to TCP. We might need to have a special case.
Comment 2 Ben Bennett 2017-01-04 16:12:47 UTC
It seems reasonable to me too. I added a card to track it, but I'm still investigating whether haproxy can do it. I would like to add a new termination type for it if that is what you mean by "special case" rather than overloading "edge".