Configure your ingress gateway to perform TLS origination for traffic that is sent to services in or outside your cluster. When TLS origination is enabled, the ingress gateway encrypts incoming HTTP or HTTPS requests by using TLS certificates before forwarding the request to an HTTPS server or service in the cluster. Therefore, TLS origination is the opposite of TLS termination where incoming HTTPS requests are decrypted by the ingress gateway before they are forwarded to a service in the cluster.

For more information, see the following resources:

Before you begin

To follow the example that is outlined on this page, Gloo Gateway must be set up in a single cluster as described in the getting started guide. You do not need to deploy sample apps as you create an NGINX server and configure it for HTTPS traffic as part of this example.

Deploy an NGINX server that is configured for HTTPS traffic

The following steps show how to deploy a sample NGINX server and configure the server for HTTPS traffic. You use this server to try out the client TLS policy later.

  1. Create a namespaces for the NGINX server that you deploy as part of this example.

      kubectl create namespace nginx
  2. Create a root certificate for the domain. You use this certificate to sign the certificate for your NGINX service later.

      openssl req -x509 -sha256 -nodes -days 365 -newkey rsa:2048 -subj '/O=example Inc./' -keyout -out
  3. Create a server certificate and private key for the my-nginx.nginx.svc.cluster.local service.

      openssl req -out my-nginx.nginx.svc.cluster.local.csr -newkey rsa:2048 -nodes -keyout my-nginx.nginx.svc.cluster.local.key -subj "/CN=my-nginx.nginx.svc.cluster.local/O=some organization"
    openssl x509 -req -sha256 -days 365 -CA -CAkey -set_serial 0 -in my-nginx.nginx.svc.cluster.local.csr -out my-nginx.nginx.svc.cluster.local.crt
  4. Generate the client certificate and private key.

      openssl req -out -newkey rsa:2048 -nodes -keyout -subj "/ organization"
    openssl x509 -req -sha256 -days 365 -CA -CAkey -set_serial 1 -in -out
  5. Create a secret that stores the server and CA certificate that you created.

      kubectl create -n nginx secret tls nginx-server-certs --key my-nginx.nginx.svc.cluster.local.key --cert my-nginx.nginx.svc.cluster.local.crt
    kubectl create -n nginx secret generic nginx-ca-certs
  6. Prepare your NGINX configuration. The following example configures NGINX for HTTPS traffic with the server and client certificates that you created earlier.

      cat <<EOF > ./nginx.conf
    events {
    http {
      log_format main '$remote_addr - $remote_user [$time_local]  $status '
      '"$request" $body_bytes_sent "$http_referer" '
      '"$http_user_agent" "$http_x_forwarded_for"';
      access_log /var/log/nginx/access.log main;
      error_log  /var/log/nginx/error.log;
      server {
        listen 443 ssl;
        root /usr/share/nginx/html;
        index index.html;
        server_name my-nginx.nginx.svc.cluster.local;
        ssl_certificate /etc/nginx-server-certs/tls.crt;
        ssl_certificate_key /etc/nginx-server-certs/tls.key;
        ssl_client_certificate /etc/nginx-ca-certs/;
        ssl_verify_client on;
  7. Store the NGINX configuration in a configmap.

      kubectl create configmap nginx-configmap -n nginx --from-file=nginx.conf=./nginx.conf
  8. Deploy the NGINX server.

      kubectl apply -f
  9. Store the client certificate and key in another secret that the ingress gateway later uses to authenticate with the NGINX server.

      kubectl create secret -n gloo-mesh-gateways generic client-credential \

Configure and verify client TLS policies

Now that you configured your NGINX server for HTTPS traffic, you must enable TLS origination for the ingress gateway.

  1. Configure an HTTP listener on your ingress gateway. This listener enables the ingress gateway to accept incoming HTTP requests.

      kubectl apply -f- <<EOF
    kind: VirtualGateway
      name: mtls-gateway
      namespace: gloo-mesh-gateways
      - port:
          number: 80
        http: {}
      - selector:
            istio: ingressgateway
  2. Create a route table that routes incoming HTTP traffic to the NGINX server that is configured for HTTPS traffic.

      kubectl apply -f- <<EOF
    kind: RouteTable
      name: mtls-routetable
      namespace: gloo-mesh-gateways
      - name: mtls-gateway
        namespace: gloo-mesh-gateways
      - '*'
      - matchers:
        - uri:
            prefix: /
          - ref:
              name: my-nginx
              namespace: nginx
              cluster: $CLUSTER_NAME
              number: 443
  3. Verify that your NGINX server does not accept incoming HTTP requests.

    1. In a new terminal, port-forward the ingress gateway on your local machine.

        kubectl port-forward deploy/ingressgateway -n gloo-mesh-gateways 8080
    2. Send an HTTP request to your local host. Because the ingress gateway is not yet configured for TLS origination, the HTTP request is forwarded to the NGINX server without encryption. However, the NGINX server is configured to only accept HTTPS traffic so you see an error stating that you tried to send plain HTTP traffic to an HTTPS port.

        curl localhost:8080

      Example output:

      <head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
      <center><h1>400 Bad Request</h1></center>
      <center>The plain HTTP request was sent to HTTPS port</center>
  4. Create the client TLS policy. This policy configures the ingress gateway to encrypt all incoming HTTP traffic for the NGINX deployment by using the client certificates that are stored in the secret.

      kubectl apply -f- <<EOF
    kind: ClientTLSPolicy
      name: mtls
      namespace: gloo-mesh-gateways
      - selector:
          namespace: nginx
            run: my-nginx
          credentialName: client-credential
  5. Send another HTTP request to your local host. Because the ingress gateway is now configured to encrypt HTTP requests before forwarding them to the NGINX server, the request now succeeds.

      curl localhost:8080

    Example output:

      <!DOCTYPE html>
    <title>Welcome to nginx!</title>
    html { color-scheme: light dark; }
    body { width: 35em; margin: 0 auto;
    font-family: Tahoma, Verdana, Arial, sans-serif; }
    <h1>Welcome to nginx!</h1>
    <p>If you see this page, the nginx web server is successfully installed and
    working. Further configuration is required.</p>
    <p>For online documentation and support please refer to
    <a href=""></a>.<br/>
    Commercial support is available at
    <a href=""></a>.</p>
    <p><em>Thank you for using nginx.</em></p>


You can optionally remove the resources that you set up as part of this guide.
  kubectl delete namespace nginx
kubectl delete virtualgateway mtls-gateway -n gloo-mesh-gateways
kubectl delete routetable mtls-routetable -n gloo-mesh-gateways
kubectl delete clienttlspolicy mtls -n gloo-mesh-gateways