Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

haproxy points to wrong file on tcp+tls config #630

Closed
thekad opened this issue Oct 16, 2017 · 5 comments

Comments

Projects
None yet
2 participants
@thekad
Copy link

commented Oct 16, 2017

Hi,

Running with:

Version = 4.0.0-rc.12
VersionStrategy = tag
Os = alpine
Arch = amd64
CommitHash = 5cced152994834b1fd633f362615fc8c6ede4628
GitBranch = release-4.0
GitTag = 4.0.0-rc.12
CommitTimestamp = 2017-10-13T11:47:39

I am trying to set up a TCP backend with TLS termination, testing using a simple znc bouncer, here's the ingress.yaml file:

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: haproxy
spec:
  tls:
  - secretName: irc.example.com
    hosts:
    - irc.example.com
  rules:
  - host: irc.example.com
    tcp:
      port: 6697
      backend:
        serviceName: znc
        servicePort: 6667

Fairly simple, pretty much the same file from the examples. Here's the haproxy.cfg that results from said configuration:

# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!

global
	daemon
	stats socket /tmp/haproxy
	server-state-file global
	server-state-base /var/state/haproxy/
	
	# log using a syslog socket
	log /dev/log local0 info
	log /dev/log local0 notice
	tune.ssl.default-dh-param 2048
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK


defaults
	log global

	# https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
	# https://github.com/appscode/voyager/pull/403
	option dontlognull
	option http-server-close

	# Timeout values
	timeout client 50s
	timeout client-fin 50s
	timeout connect 50s
	timeout server 50s
	timeout tunnel 50s

	# Configure error files

	# default traffic mode is http
	# mode is overwritten in case of tcp services
	mode http


frontend tcp-6697
	bind *:6697  ssl no-sslv3 no-tlsv10 no-tls-tickets crt /etc/ssl/private/haproxy/tls/irc.example.com   
	mode tcp

	# Limit Connections

	default_backend znc.default:6667-ey2jmt

backend znc.default:6667-ey2jmt
	mode tcp
	server pod-znc-1053672074-dfhz8 10.40.0.19:6667

As you can see, the frontend points to /etc/ssl/private/haproxy/tls/irc.example.com, however:

ls -l /etc/ssl/private/haproxy/tls/
total 8
-rwxr-xr-x 1 root root 7057 Oct 16 16:08 irc.example.com.pem

As you can see, the tls generator creates a .pem file, but the config generator doesn't append the .pem.

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Oct 16, 2017

Thanks for the bug report. Can you update the operator image to appscode/voyager:4.0.0-rc.14 ? This should fix it.

@thekad

This comment has been minimized.

Copy link
Author

commented Oct 16, 2017

Thanks @tamalsaha, I upgraded to Version = 4.0.0-rc.14 but now haproxy.cfg lacks any frontend entries, only global configuration exists:

# HAProxy configuration generated by https://github.com/appscode/voyager
# DO NOT EDIT!

global
	daemon
	stats socket /tmp/haproxy
	server-state-file global
	server-state-base /var/state/haproxy/
	
	# log using a syslog socket
	log /dev/log local0 info
	log /dev/log local0 notice
	tune.ssl.default-dh-param 2048
	ssl-default-bind-ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK


defaults
	log global

	# https://cbonte.github.io/haproxy-dconv/1.7/configuration.html#4.2-option%20abortonclose
	# https://github.com/appscode/voyager/pull/403
	option dontlognull
	option http-server-close

	# Timeout values
	timeout client 50s
	timeout client-fin 50s
	timeout connect 50s
	timeout server 50s
	timeout tunnel 50s

	# Configure error files

	# default traffic mode is http
	# mode is overwritten in case of tcp services
	mode http
@thekad

This comment has been minimized.

Copy link
Author

commented Oct 16, 2017

This is a single TCP proxy test, by the way, no http rules defined in this case

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Oct 16, 2017

@thekad , can you please try again with appscode/voyager:4.0.0-rc.15 image? It seems that I missed to update the template correctly last time.

@thekad

This comment has been minimized.

Copy link
Author

commented Oct 16, 2017

Yep, can confirm that fixes it 👍 TCP TLS termination is 💯

@thekad thekad closed this Oct 16, 2017

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.