Hi. ------ Originalnachricht ------ Von: "Marc Boorshtein" <mboorshtein gmail com> An: "Joel Pearson" <japearson agiledigital com au> Cc: "users" <users lists openshift redhat com> Gesendet: 20.01.2018 00:55:28 Betreff: Re: Passthrough TLS route not working
Hm, then you lose the ability to do cookie based load balancing
This makes the openshift router by default. You can switch it of with the following annotation. You can also set a cookie name with a annotation per route https://docs.openshift.org/latest/architecture/networking/routes.html#route-specific-annotationsoc annotate route <your_route> "haproxy.router.openshift.io/disable_cookies=true" oc annotate route <your_route> "haproxy.router.openshift.io/cookie_name=MyFunnyCookie"
When you use the proxy protocol in aws you are able to get the real client IP from the client.
https://docs.aws.amazon.com/elasticloadbalancing/latest/network/load-balancer-target-groups.html#proxy-protocol oc set env dc/router ROUTER_USE_PROXY_PROTOCOL=truePay attention due to the fact that when you setup this every request must be a proxy protocol request to the router.
On Fri, Jan 19, 2018, 5:11 PM Joel Pearson <japearson agiledigital com au> wrote:In the reference implementation they use Classic ELB load balancers in TCP mode:See this cloud formation template: https://github.com/openshift/openshift-ansible-contrib/blob/master/reference-architecture/aws-ansible/playbooks/roles/cloudformation-infra/files/greenfield.json.j2#L763On Sat, Jan 20, 2018 at 8:55 AM Joel Pearson <japearson agiledigital com au> wrote:What mode are you running the AWS load balancers in? You probably want to run them as TCP load balancers and not HTTP. That way as you say the SNI will not get messed with. On Sat, 20 Jan 2018 at 4:45 am, Marc Boorshtein <mboorshtein gmail com> wrote:So if I bypass the AWS load balancer, everything works great. Why doesn't HAProxy like the incoming requests? I'm trying to debug the issue by enabling logging withoc set env dc/router ROUTER_SYSLOG_ADDRESS=127.0.0.1 ROUTER_LOG_LEVEL=debug But the logging doesn't seem to get there (I also tried a remote server as well). I'm guessing this is probably an SNI configuration issue?On Fri, Jan 19, 2018 at 11:59 AM Marc Boorshtein <mboorshtein gmail com> wrote:I'm running origin 3.7 on AWS. I have an AWS load balancer in front of my infrastructure node. I have a pod listening on TLS on port 9090. The service links to the pod and then I have a route that is setup with passthrough tls to the pod, but every time i try to access it I get the "Application is not availble" screen even though looking in the console the service references both the router and the pod. I have deployments that do the same thing but will only work with re-encrypt. Am I missing something? Is there an issue using the AWS load balancer with passthrough?Thanks_______________________________________________ users mailing list users lists openshift redhat com http://lists.openshift.redhat.com/openshiftmm/listinfo/users
Description: S/MIME cryptographic signature