kong icon indicating copy to clipboard operation
kong copied to clipboard
Published 2 months ago verified publisher icon Kong

TLS SNI Route not work

Open spencerswagger opened this issue 1 year ago • 7 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Kong version ($ kong version)

Kong 3.6.1.4

Current Behavior

Both two cmds are connected successfully, but all of them are connected to redis openssl s_client -connect redis.mydomain.com:7443 openssl s_client -connect pg.mydomain.com:7443

it seems to be random or related to the order of create time.

Expected Behavior

Expose single port (7443), route by SNI. Use openssl s_client -connect redis.mydomain.com:7443 to connect redis. Use openssl s_client -connect pg.mydomain.com:7443 to connect postgresql.

Steps To Reproduce

Setup a kong by docker.

docker run -d --name kong-gateway \
--network=kong-net \
-e "KONG_DATABASE=postgres" \
-e "KONG_PG_HOST=kong-database" \
-e "KONG_PG_USER=kong" \
-e "KONG_PG_PASSWORD=kongpass" \
-e "KONG_PROXY_ACCESS_LOG=/dev/stdout" \
-e "KONG_ADMIN_ACCESS_LOG=/dev/stdout" \
-e "KONG_PROXY_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_ERROR_LOG=/dev/stderr" \
-e "KONG_ADMIN_LISTEN=0.0.0.0:8001" \
-e KONG_STREAM_LISTEN="0.0.0.0:7000, 0.0.0.0:7443 ssl" \
-p 8000:8000 -p 8443:8443 -p 8001:8001 \
-p 8444:8444 -p 8002:8002 -p 8445:8445 \
-p 8003:8003 -p 8004:8004 -p 7000:7000 -p 7443:7443 \
kong/kong-gateway:3.6.1.4

Create gateway services and routes for redis and postgresql(or any other tcp service) by Kong Admin UI. Here's the response of GET /services

[
    {
        "port": 5432,
        "tags": null,
        "ca_certificates": null,
        "protocol": "tcp",
        "tls_verify": null,
        "tls_verify_depth": null,
        "updated_at": 1716191302,
        "id": "047bb416-3bc0-4d7b-b86c-60f5c48f5155",
        "host": "10.188.0.1",
        "client_certificate": null,
        "path": null,
        "enabled": true,
        "read_timeout": 60000,
        "name": "pgsql",
        "retries": 5,
        "connect_timeout": 60000,
        "created_at": 1716188551,
        "write_timeout": 60000
    },
    {
        "port": 6379,
        "tags": null,
        "ca_certificates": null,
        "protocol": "tcp",
        "tls_verify": null,
        "tls_verify_depth": null,
        "updated_at": 1716256571,
        "id": "ade16742-110d-42dc-aaae-6525b74bbf18",
        "host": "10.188.0.1",
        "client_certificate": null,
        "path": null,
        "enabled": true,
        "read_timeout": 60000,
        "name": "redis",
        "retries": 5,
        "connect_timeout": 60000,
        "created_at": 1716187414,
        "write_timeout": 60000
    }
]

GET /routes

[
    {
        "regex_priority": 0,
        "snis": [
            "pg.mydomain.com"
        ],
        "https_redirect_status_code": 426,
        "hosts": null,
        "name": "pgsql",
        "protocols": [
            "tls"
        ],
        "sources": null,
        "path_handling": "v0",
        "destinations": null,
        "updated_at": 1716257213,
        "id": "581e8bd0-deb6-4c5d-b219-4567d1f23ce4",
        "preserve_host": false,
        "strip_path": false,
        "service": {
            "id": "047bb416-3bc0-4d7b-b86c-60f5c48f5155"
        },
        "tags": [],
        "request_buffering": false,
        "response_buffering": false,
        "paths": null,
        "methods": null,
        "created_at": 1716188598,
        "headers": null
    },
    {
        "regex_priority": 0,
        "snis": [
            "redis.mydomain.com"
        ],
        "https_redirect_status_code": 426,
        "hosts": null,
        "name": "redis",
        "protocols": [
            "tls"
        ],
        "sources": null,
        "path_handling": "v0",
        "destinations": null,
        "updated_at": 1716257227,
        "id": "f0b8f0dc-b5f1-4cbf-b286-7fc7052f3ffc",
        "preserve_host": false,
        "strip_path": false,
        "service": {
            "id": "ade16742-110d-42dc-aaae-6525b74bbf18"
        },
        "tags": [],
        "request_buffering": false,
        "response_buffering": false,
        "paths": null,
        "methods": null,
        "created_at": 1716191989,
        "headers": null
    }
]

Test services by openssl. openssl s_client -connect redis.mydomain.com:7443 openssl s_client -connect pg.mydomain.com:7443

Anything else?

No response

spencerswagger avatar May 21 '24 03:05 spencerswagger

@chronolaw Could you please take a look?

ADD-SP avatar May 21 '24 07:05 ADD-SP

We have created a internal ticket KAG-4550 to track it.

chronolaw avatar May 21 '24 09:05 chronolaw

Hi @spencerswagger , could you add a kong env KONG_ROUTER_FLAVOR=traditional and take a try? I want to confirm it is atc-router special issue.

chronolaw avatar May 21 '24 10:05 chronolaw

We have identified this issue, it may be fixed in 3.7 release.

chronolaw avatar May 21 '24 14:05 chronolaw

Hi @spencerswagger , could you add a kong env KONG_ROUTER_FLAVOR=traditional and take a try? I want to confirm it is atc-router special issue.

Thanks! It seems work, but is there any other consequence after added a kong env KONG_ROUTER_FLAVOR=traditional? And I'll continuously pay attention to the update of 3.7 release.

spencerswagger avatar May 22 '24 01:05 spencerswagger

In Kong 3.x we have two routers, one is traditional (pure Lua), the other is atc-router (Rust), KONG_ROUTER_FLAVOR could switch between them, but both of them are working well.

See: https://docs.konghq.com/gateway/latest/reference/configuration/#router_flavor

chronolaw avatar May 22 '24 03:05 chronolaw

@spencerswagger, kong 3.7 is released (https://github.com/Kong/kong/releases/tag/3.7.0), could you test and verify it again? thanks.

chronolaw avatar May 29 '24 01:05 chronolaw