Bug 1410061

Summary: [RFE] TLS termination for arbitrary TCP (non-HTTP) services
Product: OKD Reporter: ppatiern <ppatiern>
Component: RoutingAssignee: Ben Bennett <bbennett>
Status: CLOSED DEFERRED QA Contact: zhaozhanqi <zzhao>
Severity: low Docs Contact:
Priority: medium    
Version: 3.xCC: aos-bugs, ccoleman, jawnsy, mifiedle, ppatiern
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-01-04 20:14:02 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description ppatiern 2017-01-04 11:18:40 UTC
Description of problem:

The current TLS "edge" termination doesn't support a non HTTP service as backend.

How reproducible:

Steps to Reproduce:

1. Having a route with configured "edge" TLS termination (and related certificates)
2. Having a "pure" TCP (non HTTP) service as destination of the above route
3. Try to communicate using the above route with the destination service

Actual results:

The TLS handshake works well but then the HAProxy replies with an HTML page (with bad request information)

Expected results:

The encrypted traffic is decrypted through the router and sent to the destination service unencrypted.

Comment 1 Clayton Coleman 2017-01-04 15:57:49 UTC
If this is possible with HAProxy it seems reasonable to have edge terminate to TCP.  We might need to have a special case.

Comment 2 Ben Bennett 2017-01-04 16:12:47 UTC
It seems reasonable to me too.  I added a card to track it, but I'm still investigating whether haproxy can do it.

I would like to add a new termination type for it if that is what you mean by "special case" rather than overloading "edge".

Comment 3 Ben Bennett 2017-01-04 20:14:02 UTC
Closing this in preference to the Trello card.  https://trello.com/c/xMNzgFTy