TLS passthrough
Set up a TLS listener on the gateway that serves one or more hosts and passes TLS traffic through to a destination.
Because TLS traffic is not terminated at the gateway, the destination must be capable of handling incoming TLS traffic.
The steps in this guide show how to set up TLS passthrough for the nginx.example.com domain.
Before you begin
- Set up Gloo Mesh Gateway in a single cluster. You do not need to deploy sample apps as you create an NGINX server and configure it for HTTPS traffic as part of this example.
- TheThe default
opensslversion that is included in macOS is LibreSSL, which does not work with these instructions. Make sure that you have the OpenSSL version ofopenssl, not LibreSSL.opensslversion must be at least 1.1.- Check your
opensslversion. If you see LibreSSL in the output, continue to the next step.openssl version - Install the OpenSSL version (not LibreSSL). For example, you might use Homebrew.
brew install openssl - Review the output of the OpenSSL installation for the path of the binary file. You can choose to export the binary to your path, or call the entire path whenever the following steps use an
opensslcommand.- For example,
opensslmight be installed along the following path:/usr/local/opt/openssl@3/bin/ - To run commands, you can append the path so that your terminal uses this installed version of OpenSSL, and not the default LibreSSL.
/usr/local/opt/openssl@3/bin/openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650...
- For example,
- Check your
Deploy an NGINX server that is configured for HTTPS traffic
Deploy a sample NGINX server and configure the server for HTTPS traffic. You use this server to try out the client TLS policy later.
Create a root certificate for the
example.comdomain. You use this certificate to sign the certificate for your NGINX service later.mkdir example_certs openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./CN=example.com' -keyout example_certs/example.com.key -out example_certs/example.com.crtCreate a server certificate and private key for the
nginx.example.comdomain.openssl req -out example_certs/nginx.example.com.csr -newkey rsa:2048 -nodes -keyout example_certs/nginx.example.com.key -subj "/CN=nginx.example.com/O=some organization" openssl x509 -req -sha256 -days 365 -CA example_certs/example.com.crt -CAkey example_certs/example.com.key -set_serial 0 -in example_certs/nginx.example.com.csr -out example_certs/nginx.example.com.crtCreate a secret that stores the certificate and key for the NGINX server.
kubectl create secret tls nginx-server-certs \ --key example_certs/nginx.example.com.key \ --cert example_certs/nginx.example.com.crtPrepare your NGINX configuration. The following example configures NGINX for HTTPS traffic with the certificate that you created earlier.
cat <<\EOF > ./nginx.conf events { } http { log_format main '$remote_addr - $remote_user [$time_local] $status ' '"$request" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; error_log /var/log/nginx/error.log; server { listen 443 ssl; root /usr/share/nginx/html; index index.html; server_name nginx.example.com; ssl_certificate /etc/nginx-server-certs/tls.crt; ssl_certificate_key /etc/nginx-server-certs/tls.key; } } EOFStore the NGINX configuration in a configmap.
kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.confDeploy the NGINX server.
kubectl apply -f- <<EOF apiVersion: v1 kind: Service metadata: name: my-nginx labels: run: my-nginx spec: ports: - port: 443 protocol: TCP selector: run: my-nginx --- apiVersion: apps/v1 kind: Deployment metadata: name: my-nginx spec: selector: matchLabels: run: my-nginx replicas: 1 template: metadata: labels: run: my-nginx sidecar.istio.io/inject: "true" spec: containers: - name: my-nginx image: nginx ports: - containerPort: 443 volumeMounts: - name: nginx-config mountPath: /etc/nginx readOnly: true - name: nginx-server-certs mountPath: /etc/nginx-server-certs readOnly: true volumes: - name: nginx-config configMap: name: nginx-configmap - name: nginx-server-certs secret: secretName: nginx-server-certs EOF
Set up a gateway listener for TLS passthrough
To route TLS traffic to the NGINX server directly without terminating the TLS connection at the gateway, you create a virtual gateway and configure it for TLS passthrough.
When you apply the Gloo custom resources in this guide to your cluster, Gloo Mesh Gateway automatically checks the configuration against validation rules and value constraints. You can also run a pre-admission validation check by using the meshctl x validate resources command. For more information, see the resource validation overview and the CLI command reference.
Create the virtual gateway to configure your listener for TLS passthrough. Note that the
tlssection of your virtual gateway config must remain empty so that the gateway does not present a certificate to perform a TLS handshake with a client.kubectl apply -f- <<EOF apiVersion: networking.gloo.solo.io/v2 kind: VirtualGateway metadata: annotations: cluster.solo.io/cluster: "" name: istio-ingressgateway namespace: default spec: listeners: - allowedRouteTables: - host: nginx.example.com http: {} port: number: 443 tls: {} workloads: - selector: labels: istio: ingressgateway EOFCreate a route table to route incoming requests on the
nginx.example.comdomain to the NGINX server that you configured.kubectl apply -f- <<EOF apiVersion: networking.gloo.solo.io/v2 kind: RouteTable metadata: annotations: cluster.solo.io/cluster: "" name: tls-route namespace: default spec: hosts: - nginx.example.com tls: - forwardTo: destinations: - port: number: 443 ref: cluster: cluster1 name: my-nginx namespace: default matchers: - port: 8443 sniHosts: - nginx.example.com virtualGateways: - name: istio-ingressgateway namespace: default EOFGet the IP address of your ingress gateway.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESSSend a request to the
nginx.example.comdomain and verify that you get back a 200 HTTP response code from your NGINX server. Because NGINX accepts incoming TLS traffic only, the 200 HTTP response code proves that TLS traffic was not terminated at the gateway. In addition, you can verify that you get back the server certificate that you configured your NGINX server with in the beginning.curl -vi --resolve nginx.example.com:443:$INGRESS_GW_ADDRESS --cacert example_certs/example.com.crt https://nginx.example.com:443Example output:
Added nginx.example.com:443:34.XXX.XXX.XXX to DNS cache * Hostname nginx.example.com was found in DNS cache * Trying 34.XXX.XXX.XXX:443... * Connected to nginx.example.com (34.XXX.XXX.XXX) port 443 (#0) * ALPN, offering h2 * ALPN, offering http/1.1 * successfully set certificate verify locations: * CAfile: example_certs/example.com.crt * CApath: none * TLSv1.2 (OUT), TLS handshake, Client hello (1): * TLSv1.2 (IN), TLS handshake, Server hello (2): * TLSv1.2 (IN), TLS handshake, Certificate (11): * TLSv1.2 (IN), TLS handshake, Server key exchange (12): * TLSv1.2 (IN), TLS handshake, Server finished (14): * TLSv1.2 (OUT), TLS handshake, Client key exchange (16): * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1): * TLSv1.2 (OUT), TLS handshake, Finished (20): * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1): * TLSv1.2 (IN), TLS handshake, Finished (20): * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305 * ALPN, server accepted to use http/1.1 * Server certificate: * subject: CN=nginx.example.com; O=some organization * start date: Apr 3 17:54:04 2023 GMT * expire date: Apr 2 17:54:04 2024 GMT * common name: nginx.example.com (matched) * issuer: O=example Inc.; CN=example.com * SSL certificate verify ok. > GET / HTTP/1.1 > Host: nginx.example.com > User-Agent: curl/7.77.0 > Accept: */* > * Mark bundle as not supporting multiuse < HTTP/1.1 200 OK HTTP/1.1 200 OK < Server: nginx/1.23.4 Server: nginx/1.23.4 < Date: Mon, 03 Apr 2023 18:14:42 GMT Date: Mon, 03 Apr 2023 18:14:42 GMT < Content-Type: text/html Content-Type: text/html < Content-Length: 615 Content-Length: 615 < Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT < Connection: keep-alive Connection: keep-alive < ETag: "64230162-267" ETag: "64230162-267" < Accept-Ranges: bytes Accept-Ranges: bytes < <!DOCTYPE html> <html> <head> <title>Welcome to nginx!</title> ...
Next steps
Now that you have the virtual gateway configured, you can add other Gloo Mesh Gateway resources to control traffic that is routed through the gateway.
- Process and route traffic through the virtual gateway with route tables, such as by using header matching, redirects, or direct responses.
- Explore traffic management, security, and resiliency policies that you can apply to your routes and upstream services. For example, you might apply the proxy protocol policy to your API Gateway so that it preserves connection information such as the originating client IP address.
Cleanup
You can optionally remove the resources that you set up as part of this guide.
rm -r example_certs
rm nginx.conf
kubectl delete configmap nginx-configmap
kubectl delete routetable tls-route
kubectl delete virtualgateway istio-ingressgateway
kubectl delete deployment my-nginx
kubectl delete service my-nginx
kubectl delete secret nginx-server-certs