cloudflared icon indicating copy to clipboard operation
cloudflared copied to clipboard

Published 20 hours ago verified publisher icon cloudflare

Pass SNI to origin + Istio ingress gateway

Open BojanZelic opened this issue 2 years ago • 5 comments

I'm trying to configure the cloudflared tunnel to work with Istio. Istio Ingress Gateway uses SNI to match the request on where it routes traffic to. I can't seem to figure out a way that I could pass SNI information from cloudflared tunnel -> the origin automatically.

I can see that Host headers come through without issue. Is there a way to automatically get the SNI information from the original user request and pass it through?

I can manually hardcode it for every entry as a workaround for now.

What I'm trying to achieve:

credentials-file: "/var/run/cloudflared/<id>.json"
ingress:
- hostname: "*.mydomain.io"
  service: https://istio-ingressgateway.istio-system.svc.cluster.local
- service: http_status:404
tunnel: <id>

But this doesn't work and it's essentially the equivalent of this:

curl -v -HHost:host1.mydomain.io https://istio-ingressgateway.istio-system.svc.cluster.local

My current workaround:

credentials-file: "/var/run/cloudflared/<id>.json"
ingress:
- hostname: "host1.mydomain.io"
  originRequest:
    originServerName: host1.mydomain.io
  service: https://istio-ingressgateway.istio-system.svc.cluster.local
- hostname: "host2.mydomain.io"
  originRequest:
    originServerName: host2.mydomain.io
  service: https://istio-ingressgateway.istio-system.svc.cluster.local
- service: http_status:404
tunnel: <id>

Now this works and is the equivalent of:

 ISTIO_IP=$(dig +short istio-ingressgateway.istio-system.svc.cluster.local)
 curl -v -HHost:host1.mydomain.io--resolve "host1.mydomain.io:443:$ISTIO_IP" https://host1.mydomain.io -k

But I have to manually set every entry. Is there way to configure the cloudflared to pass SNI to the backend?

BojanZelic avatar Jan 03 '22 17:01 BojanZelic

This is not just limited to istio. Essentially any HTTPS host requires explicit configuration so the correct SNI can be passed to the backend. If the SNI from the client can be passed on (unless overwritten via the originServerName option) then we can use a wildcard host config instead of explicit configuration.

patrickli avatar Apr 16 '22 08:04 patrickli

I am experiencing the same issue with Traefik as ingress, where Traefik will respond with the correct certificate per SNI with a default fallback to the self-signed TRAEFIK DEFAULT CERT. Setting noTLSVerify would fix the host selection issue, but with wildcard records things get a lot messier.

linuxgemini avatar Feb 08 '23 10:02 linuxgemini

@sudarshan-reddy Any update on this?

buroa avatar Nov 10 '23 17:11 buroa

@sudarshan-reddy Any update on this?

Sorry to bump. But why do you close your PR? What happened?

Hazmi35 avatar Jan 15 '24 00:01 Hazmi35

@Hazmi35 Sorry, but that other implementation was not working. I went and dove into it again and got it working.

buroa avatar Jan 18 '24 20:01 buroa

This has been released on version 2024.4.0

jcsf avatar Apr 10 '24 13:04 jcsf

That's great news! AFAICT the dashboard at Cloudflare One is not updated yet to reflect the option; but you can update via the API endpoint for tunnel configurations (/accounts/:account_id/cfd_tunnel/:tunnel_id/configurations) to add "matchSNItoHost": true on originRequest for config.ingress[] and get it working.

linuxgemini avatar Apr 10 '24 20:04 linuxgemini

Has anyone experienced any issues with this? Can not tell if keep alive are causing some issues get a lot of flip flopping between 200 status and 404 because my downstream envoy keeps getting different requested_server_name that do not match the :authority

owenhaynes avatar Apr 17 '24 07:04 owenhaynes