Bug 1410061 - [RFE] TLS termination for arbitrary TCP (non-HTTP) services
Summary: [RFE] TLS termination for arbitrary TCP (non-HTTP) services
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: OKD
Classification: Red Hat
Component: Routing
Version: 3.x
Hardware: Unspecified
OS: Unspecified
medium
low
Target Milestone: ---
: ---
Assignee: Ben Bennett
QA Contact: zhaozhanqi
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2017-01-04 11:18 UTC by ppatiern
Modified: 2017-01-04 20:14 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-01-04 20:14:02 UTC
Target Upstream Version:


Attachments (Terms of Use)

Description ppatiern 2017-01-04 11:18:40 UTC
Description of problem:

The current TLS "edge" termination doesn't support a non HTTP service as backend.

How reproducible:


Steps to Reproduce:

1. Having a route with configured "edge" TLS termination (and related certificates)
2. Having a "pure" TCP (non HTTP) service as destination of the above route
3. Try to communicate using the above route with the destination service

Actual results:

The TLS handshake works well but then the HAProxy replies with an HTML page (with bad request information)

Expected results:

The encrypted traffic is decrypted through the router and sent to the destination service unencrypted.

Comment 1 Clayton Coleman 2017-01-04 15:57:49 UTC
If this is possible with HAProxy it seems reasonable to have edge terminate to TCP.  We might need to have a special case.

Comment 2 Ben Bennett 2017-01-04 16:12:47 UTC
It seems reasonable to me too.  I added a card to track it, but I'm still investigating whether haproxy can do it.

I would like to add a new termination type for it if that is what you mean by "special case" rather than overloading "edge".

Comment 3 Ben Bennett 2017-01-04 20:14:02 UTC
Closing this in preference to the Trello card.  https://trello.com/c/xMNzgFTy


Note You need to log in before you can comment on or make changes to this bug.