apisix
apisix copied to clipboard
apache
help request: Unable to connect ApiSix DataPlane with ALB with HTTPS
Description
Hi Team,
I have been working to configure ApiSix as a gateway for my applications. I want the end to end communication to be HTTPS. So i set ALB (via alb-loadbalancer-controller) with HTTPS target and added the ApiSix dataplance service with 443 port (backend it will connect to 9443). While i am trying to connect to the service it throws me error as
On the POD side:
2024/08/23 07:22:24 [error] 7#7: 7992 [lua] init.lua:191: http_ssl_client_hello_phase(): failed to find SNI: please check if the client requests via IP or uses an outdated protocol. If you need to report an issue, provide a packet capture file of the TLS handshake., context: ssl_client_hello_by_lua, client: 171.6.0.49, server: 0.0.0.0:9443
On the browser end:
502 Bad Gateway
I have added the necessary ssl certificate, but still it was showing "failed to find SNI"
Environment
- APISIX version (run
apisix version): - Operating system (run
uname -a): - OpenResty / Nginx version (run
openresty -Vornginx -V): - etcd version, if relevant (run
curl http://127.0.0.1:9090/v1/server_info): - APISIX Dashboard version, if relevant:
- Plugin runner version, for issues related to plugin runners:
- LuaRocks version, for installation issues (run
luarocks --version):
What might be worth a try is setting fallback_sni in your dataplane's configuration (Ref.):
Fallback SNI to be used if the client does not send SNI during the handshake.
apisix:
ssl:
fallback_sni: "YOUR_SAN_DOMAIN_NAME"
Awesome, It works well. Is it possible to use multiple domains here?.
I doubt that, it does not seem to be an array.
Thanks Zeritti. I have been seeking the support for the couple of weeks.
fallback_sni itself is a “fallback” mechanism, used to deal with the client does not provide SNI, as a fallback solution, it should be clear and unique, support for multiple domain names will violate this simple and clear fallback logic
