-
Notifications
You must be signed in to change notification settings - Fork 303
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
SSL/TLS Passthrough #669
Comments
I think your issue is with |
Thanks a lot for taking the time to answer me. Removing
After investigating, I found that this error is caused by the following line: I'm a bit surprised as the example from https://github.com/mesosphere/marathon-lb/blob/master/Longhelp.md#haproxy_https_frontend_acl does make use of the Removing |
Seems like that is because of your template
Just use the default template and then try enabling your app with below labels
|
Thank you again for your answer. I've deleted my Could this be a bug in marathon-lb? |
How are you configuring your certificate? Marathon-LB expects the certificate to be formatted in a certain manner with new lines try |
I'm sorry I'm not sure I understand. If I'm doing SSL/TCP Passthrough with Marathon-lb, it shouldn't be aware of the certificate, It should just pass the TCP traffic without even looking at what's it's routing right? Why would the certificate have to be added to |
I am not sure how you are routing that traffic if I am not wrong you are pointing your domain to a CNAME of marathon-lb. From what I understood, All the traffic is being routed to |
Thanks a lot for all your suggestions. I've looked at all of them but it seems I might have been a bit unclear on what I'm trying to achieve. I'm sorry if this is the case. As you correctly imagined, My goal is to do load balancing to my nginx container - currently only one - using SNI extension, without marathon-lb doing anything other than routing the packet. The setup I'm trying to achieve is very similar to https://www.haproxy.com/blog/enhanced-ssl-load-balancing-with-server-name-indication-sni-tls-extension/. This would allow me to keep the certificates in the nginx container only, without providing any certificate to marathon-lb nor HAProxy. The way I see it is something like this (Although I might be misunderstanding something):
The requested hostname is in clear in HTTPS (https://stackoverflow.com/a/8277348) "but in HTTPS, a TLS handshake takes place first, before the HTTP conversation can begin (HTTPS still uses HTTP – it just encrypts the HTTP messages). Without SNI, then, there is no way for the client to indicate to the server which hostname they're talking to." (Citation from https://www.cloudflare.com/learning/ssl/what-is-sni/)
Hopefully this makes sense. |
Hello everyone,
I'm trying to do a SSL/TCP Passthrough with Marathon-LB 1.14.2, as described in HA Proxy documentation (https://www.haproxy.com/documentation/haproxy/deployment-guides/tls-infrastructure/#ssl-tls-pass-through).
This would allow for Marathon-LB to expose the certificate exposed by the service and not have to provide any certificates to Marathon-LB itself.
Based on https://github.com/mesosphere/marathon-lb/blob/master/Longhelp.md I've created the following template:
After doing so, I've added the following labels to my container:
However, I hit the following error:
Could anyone explain me how I can expose the certificate of my service through Marathon-LB without terminating the SSL session?
Thank you for any help you might provide.
The text was updated successfully, but these errors were encountered: