istio: Ingress gateway use case of HTTPS to HTTPS doesn't work.
installed by Service mesh operator 1.1.7
Two namespaces is used, first is my nginx namespace: ns1 second is istio-system. purpose: Https request from Webpage and using gateway pass it to nginx HTTPS port 443.
- Webpage 443 to nginx HTTP 80 port, as HTTP of nginx is redirect to HTTPS port. so web page got so much redirect error.but it seems works.
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: cpd-nginx-gateway
spec:
selector:
istio: ingressgateway # use istio default controller
servers:
- port:
number: 80
name: http
protocol: HTTP
hosts:
- "*"
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "*"
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx-svc
spec:
hosts:
- "*"
gateways:
- cpd-nginx-gateway
tcp:
- match:
- uri:
exact: /*
route:
- destination:
host: nginx-svc.ns1.svc.cluster.local
port:
number: 80
- using tls in VirtualService returns 404
apiVersion: networking.istio.io/v1alpha3
kind: Gateway
metadata:
name: cpd-nginx-gateway
spec:
selector:
istio: ingressgateway
servers:
- port:
number: 443
name: https
protocol: HTTPS
hosts:
- "a.example.com"
tls:
mode: SIMPLE
serverCertificate: /etc/istio/ingressgateway-certs/tls.crt
privateKey: /etc/istio/ingressgateway-certs/tls.key
---
apiVersion: networking.istio.io/v1alpha3
kind: VirtualService
metadata:
name: nginx-svc
spec:
hosts:
- "a.example.com"
gateways:
- cpd-nginx-gateway
tls:
- name: "https-nginx-route"
match:
- uri:
exact: /*
sni_hosts:
- "a.example.com"
route:
- destination:
host: nginx-svc.ns1.svc.cluster.local
port:
number: 443
logs from ingressgate is
[2020-09-10T05:47:47.316Z] "GET /zen HTTP/2" 404 - "-" "-" 0 0 0 - "10.254.4.1" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36" "ea9f7fa1-6aaf-9694-af5a-fd9c19cdbbac" "a.example.com" "-" - - 10.254.8.76:8443 10.254.4.1:46464 a.example.com default
{"duration":"0","route_name":"default","upstream_transport_failure_reason":"-","downstream_local_address":"10.254.8.76:8443","user_agent":"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/84.0.4147.135 Safari/537.36","response_code":"404","response_flags":"-","start_time":"2020-09-10T05:47:47.316Z","request_id":"ea9f7fa1-6aaf-9694-af5a-fd9c19cdbbac","method":"GET","upstream_host":"-","x_forwarded_for":"10.254.4.1","requested_server_name":"a.example.com","bytes_received":"0","istio_policy_status":"-","bytes_sent":"0","upstream_cluster":"-","downstream_remote_address":"10.254.4.1:46464","path":"/zen","authority":"a.example.com","protocol":"HTTP/2","upstream_service_time":"-","upstream_local_address":"-"}
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Comments: 18 (3 by maintainers)
@bjwyun
After adding x-forward port, it’s working fine. Thanks
I found some relevant issues that may helps: https://github.com/istio/istio/issues/19609 https://github.com/istio/istio/issues/8029