Because TLS traffic is not terminated at the gateway, the destination must be capable of handling incoming TLS traffic.

Figure: TLS passthrough listener setup

The steps in this guide show how to set up TLS passthrough for the domain.

Before you begin

  1. Set up Gloo Mesh Gateway in a single cluster. You do not need to deploy sample apps as you create an NGINX server and configure it for HTTPS traffic as part of this example.
  2. The openssl version must be at least 1.1.

    1. Check your openssl version. If you see LibreSSL in the output, continue to the next step.
        openssl version
    2. Install the OpenSSL version (not LibreSSL). For example, you might use Homebrew.
        brew install openssl
    3. Review the output of the OpenSSL installation for the path of the binary file. You can choose to export the binary to your path, or call the entire path whenever the following steps use an openssl command.
      • For example, openssl might be installed along the following path: /usr/local/opt/openssl@3/bin/
      • To run commands, you can append the path so that your terminal uses this installed version of OpenSSL, and not the default LibreSSL. /usr/local/opt/openssl@3/bin/openssl req -new -newkey rsa:4096 -x509 -sha256 -days 3650...

Deploy an NGINX server that is configured for HTTPS traffic

Deploy a sample NGINX server and configure the server for HTTPS traffic. You use this server to try out the client TLS policy later.

  1. Create a root certificate for the domain. You use this certificate to sign the certificate for your NGINX service later.

      mkdir example_certs
    openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./' -keyout example_certs/ -out example_certs/
  2. Create a server certificate and private key for the domain.

      openssl req -out example_certs/ -newkey rsa:2048 -nodes -keyout example_certs/ -subj "/ organization"
    openssl x509 -req -sha256 -days 365 -CA example_certs/ -CAkey example_certs/ -set_serial 0 -in example_certs/ -out example_certs/
  3. Create a secret that stores the certificate and key for the NGINX server.

      kubectl create secret tls nginx-server-certs \
     --key example_certs/ \
     --cert example_certs/
  4. Prepare your NGINX configuration. The following example configures NGINX for HTTPS traffic with the certificate that you created earlier.

      cat <<\EOF > ./nginx.conf
    events {
    http {
      log_format main '$remote_addr - $remote_user [$time_local]  $status '
      '"$request" $body_bytes_sent "$http_referer" '
      '"$http_user_agent" "$http_x_forwarded_for"';
      access_log /var/log/nginx/access.log main;
      error_log  /var/log/nginx/error.log;
      server {
        listen 443 ssl;
        root /usr/share/nginx/html;
        index index.html;
        ssl_certificate /etc/nginx-server-certs/tls.crt;
        ssl_certificate_key /etc/nginx-server-certs/tls.key;
  5. Store the NGINX configuration in a configmap.

      kubectl create configmap nginx-configmap --from-file=nginx.conf=./nginx.conf
  6. Deploy the NGINX server.

      kubectl apply -f- <<EOF
    apiVersion: v1
    kind: Service
      name: my-nginx
        run: my-nginx
      - port: 443
        protocol: TCP
        run: my-nginx
    apiVersion: apps/v1
    kind: Deployment
      name: my-nginx
          run: my-nginx
      replicas: 1
            run: my-nginx
          - name: my-nginx
            image: nginx
            - containerPort: 443
            - name: nginx-config
              mountPath: /etc/nginx
              readOnly: true
            - name: nginx-server-certs
              mountPath: /etc/nginx-server-certs
              readOnly: true
          - name: nginx-config
              name: nginx-configmap
          - name: nginx-server-certs
              secretName: nginx-server-certs

Set up a gateway listener for TLS passthrough

To route TLS traffic to the NGINX server directly without terminating the TLS connection at the gateway, you create a virtual gateway and configure it for TLS passthrough.

  1. Create the virtual gateway to configure your listener for TLS passthrough. Note that the tls section of your virtual gateway config must remain empty so that the gateway does not present a certificate to perform a TLS handshake with a client.

      kubectl apply -f- <<EOF
    kind: VirtualGateway
      annotations: ""
      name: istio-ingressgateway
      namespace: default
      - allowedRouteTables:
        - host:
        http: {}
          number: 443
        tls: {}
      - selector:
            istio: ingressgateway
  2. Create a route table to route incoming requests on the domain to the NGINX server that you configured.

      kubectl apply -f- <<EOF
    kind: RouteTable
      annotations: ""
      name: tls-route
      namespace: default
      - forwardTo:
          - port:
              number: 443
              cluster: cluster1
              name: my-nginx
              namespace: default
        - port: 8443
      - name: istio-ingressgateway
        namespace: default
  3. Get the IP address of your ingress gateway.

      export INGRESS_GW_IP=$(kubectl get svc -n gloo-mesh-gateways istio-ingressgateway -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
    echo $INGRESS_GW_IP
  4. Send a request to the domain and verify that you get back a 200 HTTP response code from your NGINX server. Because NGINX accepts incoming TLS traffic only, the 200 HTTP response code proves that TLS traffic was not terminated at the gateway. In addition, you can verify that you get back the server certificate that you configured your NGINX server with in the beginning.

      curl -vi --resolve$INGRESS_GW_IP --cacert example_certs/ 

    Example output:

      Added to DNS cache
    * Hostname was found in DNS cache
    *   Trying 34.XXX.XXX.XXX:443...
    * Connected to (34.XXX.XXX.XXX) port 443 (#0)
    * ALPN, offering h2
    * ALPN, offering http/1.1
    * successfully set certificate verify locations:
    *  CAfile: example_certs/
    *  CApath: none
    * TLSv1.2 (OUT), TLS handshake, Client hello (1):
    * TLSv1.2 (IN), TLS handshake, Server hello (2):
    * TLSv1.2 (IN), TLS handshake, Certificate (11):
    * TLSv1.2 (IN), TLS handshake, Server key exchange (12):
    * TLSv1.2 (IN), TLS handshake, Server finished (14):
    * TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
    * TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (OUT), TLS handshake, Finished (20):
    * TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
    * TLSv1.2 (IN), TLS handshake, Finished (20):
    * SSL connection using TLSv1.2 / ECDHE-RSA-CHACHA20-POLY1305
    * ALPN, server accepted to use http/1.1
    * Server certificate:
    *  subject:; O=some organization
    *  start date: Apr  3 17:54:04 2023 GMT
    *  expire date: Apr  2 17:54:04 2024 GMT
    *  common name: (matched)
    *  issuer: O=example Inc.;
    *  SSL certificate verify ok.
    > GET / HTTP/1.1
    > Host:
    > User-Agent: curl/7.77.0
    > Accept: */*
    * Mark bundle as not supporting multiuse
    < HTTP/1.1 200 OK
    HTTP/1.1 200 OK
    < Server: nginx/1.23.4
    Server: nginx/1.23.4
    < Date: Mon, 03 Apr 2023 18:14:42 GMT
    Date: Mon, 03 Apr 2023 18:14:42 GMT
    < Content-Type: text/html
    Content-Type: text/html
    < Content-Length: 615
    Content-Length: 615
    < Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
    Last-Modified: Tue, 28 Mar 2023 15:01:54 GMT
    < Connection: keep-alive
    Connection: keep-alive
    < ETag: "64230162-267"
    ETag: "64230162-267"
    < Accept-Ranges: bytes
    Accept-Ranges: bytes
    <!DOCTYPE html>
    <title>Welcome to nginx!</title>

Next steps

Now that you have the virtual gateway configured, you can add other Gloo Mesh Gateway resources to control traffic that is routed through the gateway.


You can optionally remove the resources that you set up as part of this guide.

  rm -r example_certs
rm nginx.conf
kubectl delete configmap nginx-configmap
kubectl delete routetable tls-route
kubectl delete virtualgateway istio-ingressgateway
kubectl delete deployment my-nginx
kubectl delete service my-nginx
kubectl delete secret nginx-server-certs