HTTPS & marathon-lb

[vsinha]

Hi All,

We have a service that we'd like to expose over https, we have an external marathon-lb set up (using DCOS), and we have an app which speaks https running inside the cluster (which needs to be exposed).

The service ports are mapped as follows:

• 80 --> 10080
• 443 --> 10443

We can see our service (called apiv01) on http:

$ curl http://marathon-lb.marathon.mesos:9091 -H "X-Marathon-App-Id: /apiv01"
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.9.3</center>
</body>
</html>

Trying the same w/ https fails

$ curl https://marathon-lb.marathon.mesos:9091 -H "X-Marathon-App-Id: /apiv01" -k
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

Trying to resolve the service port directly:

$ curl http://marathon-lb.marathon.mesos:10443 -v
* Rebuilt URL to: http://marathon-lb.marathon.mesos:10443/
*   Trying 10.0.0.5...
* Connected to marathon-lb.marathon.mesos (10.0.0.5) port 10443 (#0)
> GET / HTTP/1.1
> Host: marathon-lb.marathon.mesos:10443
> User-Agent: curl/7.46.0
> Accept: */*
> 
< HTTP/1.1 302 Found
< Cache-Control: no-cache
< Content-length: 0
< Location: https://marathon-lb.marathon.mesos:10443/
< Connection: close
< 
* Closing connection 0

we get an 'unknown protocol' error:

$ curl https://marathon-lb.marathon.mesos:10443 -v
* Rebuilt URL to: https://marathon-lb.marathon.mesos:10443/
*   Trying 10.0.0.5...
* Connected to marathon-lb.marathon.mesos (10.0.0.5) port 10443 (#0)
* ALPN, offering http/1.1
* Cipher selection: ALL:!EXPORT:!EXPORT40:!EXPORT56:!aNULL:!LOW:!RC4:@STRENGTH
* successfully set certificate verify locations:
*   CAfile: /opt/mesosphere/active/python-requests/lib/python3.4/site-packages/requests/cacert.pem
  CApath: none
* TLSv1.2 (OUT), TLS header, Certificate Status (22):
* TLSv1.2 (OUT), TLS handshake, Client hello (1):
* error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol
* Closing connection 0
curl: (35) error:140770FC:SSL routines:SSL23_GET_SERVER_HELLO:unknown protocol

additionally:

$ curl https://marathon-lb.marathon.mesos:443 -H "X-Marathon-App-Id: /apiv01" -k
<html><body><h1>503 Service Unavailable</h1>
No server is available to handle this request.
</body></html>

finally, hitting the service directly works perfectly:

$ curl https://10.0.0.9:19920 -k
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

[brndnmtthws]

We connected offline to resolve this. It was a configuration issue.

[vanomashey]

Hi Brenden,
We have the same issue. Could you briefly note where is the error in configuration?
Regards,
Ivan

[brndnmtthws]

Are you also trying to terminate TLS at the app (rather than the LB)? Here's some documentation on how to do this: https://github.com/brndnmtthws/mlb-nginx-http2