feat(router) allow TLS passthrough in stream router

[fffonion]

Summary

Adds the ability in route TLS traffic based on SNI without terminating the connection.

To let Kong does normal TLS termination

kong.conf:
stream_listen=0.0.0.0:9000 ssl

kong.yaml
routes:
- protocol: tls
  snis: something

To let Kong does TLS passthrough

kong.conf:
stream_listen=0.0.0.0:9000 ssl

kong.yaml
routes:
- protocol: tls_passthrough
  snis: something

Full changelog

• feat(router) allow TLS passthrough in stream router

Issues resolved

Fix #5902 #6694

TODO:

• preserve client address when doing second layer proxing
• not run plugins in log phase in the preread server block

[hbagdi]

I love it when such features can be implemented with a small patch.
Question: Is it possible to mix TLS termination and pass-through (based on the SNI) on the same port? If not, what is the limitation? If yes, how much effort is that?

[fffonion]

@hbagdi Having them on the same port is not likely something Nginx support directly, but can be hacked by configuration. If one configures two "layers" of proxy, the first layer doesn't do TLS termination and when it matches certain SNI, it forward it a local port, which is a TLS port. Then theoritically you can have the port in the first layer accepts both type of traffic.

[hbagdi]

That sounds like an uncomfortable and a risky hack to me that we should best avoid.

[fffonion]

It's actually not that terrible as it looks 😄 and it will be transparent to client. By configuration I was referring to two Routes in Kong, the nginx configuration doesn't need to be changed. Though it's indeed not a common case to use Kong itself as a upstream, but it's a common pattern in Nginx as I heard of.

[dndx]

@hbagdi In reality proxying to itself does not impact performance that much. The bulk of the overhead is always inside the TLS termination which has to run expensive cryptography operations. Proxy to self, in reality is just few memcpys and can easily saturate the memory bandwidth without breaking a sweat of the CPU.

I very much feel that we need to support mixing terminated and non-terminated connections on the same port, otherwise the usefulness of Kong TLS proxy will become very limited.

[hbagdi]

I very much feel that we need to support mixing terminated and non-terminated connections on the same port, otherwise the usefulness of Kong TLS proxy will become very limited.

I do too. But it has to be transparent to the user, meaning, a user shouldn't need to create two routes in Kong.
If I create 3 routes on the same port in kong:

• a route performs TCP termination
• a route that does TLS termination for an SNI
• a route that does SNI-based proxying without TLS termination (SNI sniffing)

it should just work.

[fffonion]

Seems like we need to add more lines in this PR : ) Turning on ssl_preread, or if there's any plugin or Kong logic that tries to peek data in preread phase will block current request in preread phase for protocols where "server sends data before client" (for example SMTP). Kong/Nginx only starts to proxy data from upstream to downstream in phase after preread.

https://github.com/Kong/kong/blob/master/spec/02-integration/05-proxy/22-reports_spec.lua#L41 is an example for this use case.

So I'm proposing to make ssl_preread gated by a new Kong configuration so that user can choose the behaviour of stream proxy. This will not affect HTTP subsystem.

[dndx]

Discussed with @fffonion, the following design are proposed:

1. We keep the L4 configuration exactly the same as today.
2. When user specifies stream_listen, ssl can be specified for a port as needed (this is the same as today). If the user wants to perform any special TLS handling, like SNI proxy or TLS termination, then the ssl flag must be present.
3. When ssl flag is present, the preread module will be enabled for that server block. At the same time, another server that listens on a unix domain socket will be created that will handle TLS termination if later needed.
4. When request comes into a port with ssl flag, the incoming SNI server_name is examined. If termination is required, the request is forwarded via the domain socket to the terminating server block.

The advantage of this method is:

1. Support the current user config as well as mixed terminating and non-terminating TLS proxy, without need to introduce additional config options
2. Minimum loss of performance

Note that we do not want to support mixing TLS and cleartext traffic on the same port, for reasons @fffonion already mentioned above. It will inevitable break a lot of cleartext protocol if we enable preread module for cleartext ports. User must always specify in stream_listen whether a port proxies TLS traffic or not, but we can decide whether to terminate the TLS.

[hbagdi]

+1 to that.
One question, based on the SNI, how will Kong decide to terminate or TLS-passthrough the request?

[fffonion]

@hbagdi there will be two server blocks, since currently we can't control ssl termination dynamically in Lua

match route based on SNI  --- Service is tls --> unix domain socket -> local server block with tls termination -> Upstream
                        \ ___ Service is tcp -> Upstream

[hbagdi]

So if I'm understanding correctly, weather to terminate TLS or not will be based on the protocol of Service? That seems odd. Routing decisions should be based on routes only, isn't it?

…

On Wed, Jan 27, 2021, 4:01 PM Wangchong Zhou ***@***.***> wrote: @hbagdi <https://github.com/hbagdi> there will be two server blocks, since currently we can't control ssl termination dynamically in Lua match route based on SNI --- Service is tls --> unix domain socket -> local server block with tls termination -> Upstream \ ___ Service is tcp -> Upstream — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#6757 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABD2EOKGLUI7BVWM52C636TS37TPHANCNFSM4WMPNRKA> .

[fffonion]

@hbagdi That has similar pattern in http subsystem, Service will determine how Kong "treat" the request.
For example you can route an SNI route to a http service, but Kong will complain it should only be used in https service.
Then whether to serve certificate is based on the protocol of Service, it shouldn't be regarded as a routing decision.

[hbagdi]

For example you can route an SNI route to a http service, but Kong will complain it should only be used in https service.

AFAIK, that error is generated at the time of route/service creation and not at runtime.

Then whether to serve certificate is based on the protocol of Service, it shouldn't be regarded as a routing decision.

This doesn't seem correct. In HTTP sub-system, the certificate presented to downstream has nothing to do with Service resource because the route is not known during TLS (and hence Service is not known). I think the stream sub-system works similarly but I don't have enough experience with it to be sure.

In Routes, we have the protocol - tcp or tls, SNI and port. I think what is missing is a field which dictates whether to terminate TLS or not.

[haroldoproenca]

Hi, How are you?
I'm facing the same problem with my Kong Ingress Controller and I would like to know when you intend to release this fix.
Thank's,

Haroldo

[mayocream]

Any updates on this PR?

[fffonion]

@haroldoproenca @mayocream We will revisit this PR in the near future releases, please hold for updates!

[ignacioli]

Any updates on this PR?

Thanks

[mayocream]

I was waiting for this moment that this PR have new commits!
Great works! 😋

[fffonion]

normal request -> first server block -> upstream
tls passthrough request -> second server blocke - proxy_protocol -> third server block -> upstream
tls termination request -> second server block - proxy_protocol -> first server block -> upstream

ideally, when doing tls passthrough, we can directly go from second server block to upstream
but currently we can't turn proxy_protocol on/off from lua side, so there's an extra third
server block to offload the proxy_protocol. we can have something like .kong.tls.disable_proxy_protocol to make this better.

[hbagdi]

Add tls_pasthrough to the if_match statement (line 34)

[fffonion]

need to add some test in schema unit test as well

[dndx]

This seems to be something we can cache once at load and no need to create new strings for each connection.

[dndx]

Instead of checking the flag, if we add a return value for runloop.preread.before does that makes more sense? Flags are slower but more important it makes the control flow less clear :)