kubernetes-ingress
kubernetes-ingress copied to clipboard
haproxytech
Support for raw tcp mode services
This may overlap with #12. Would be great to have support for raw TCP services.
Cherry on the cake, raw TCP services should be able to route traffic using SNI without deciphering the traffic (seems common use case in k8s too)
This is possible to do with haproxy, but my config for it is a bit hacky
frontend tcp-public
bind *:443
mode tcp
option tcplog
tcp-request inspect-delay 5s
tcp-request content accept if { req_ssl_hello_type 1 }
use_backend rawtcpservice if { req.ssl_sni -i rawtcp.example.com }
default_backend https-public-bounce
frontend https-public
bind [email protected] name https-public uid 80 accept-proxy ssl crt /ssl-external/keys/letsencrypt/priv-fullchain-bundle.pem alpn h2,http/1.1
option httplog
option forwardfor
use_backend myservice if { hdr(host) -i https-terminated.example.com }
default_backend tarpit
backend https-public-bounce
mode tcp
server localhost [email protected] send-proxy-v2-ssl-cn
backend rawtcpservice
server MyRawServiceServer 192.168.1.2
backend myservice
server MyServiceServer 192.168.1.1
I hope this is possible in this ingress controller at some point in the future.
@LukeChannings
It seems that ssl-passthrough is what you are looking for .
If you put that annotation in an ingress object, all rules(precisely host field) in that ingress will be used with req.ssl_sni to match incoming traffic on 443 and directly forward it (withtou offloading) to appropriate services
@bedis If you are talking about tcp services exposed via 443 you can use ssl-passthrough annotation If you are talking about tcp services on different ports you can use --configmap-tcp-services
@LukeChannings
Some fixes to the tcp-request rules where added to master after latest release.
So in case you will come through one of these bugs you can try haproxytech/kubernetes-ingress:dev which is a build of what is in master currently.
We are aiming for a release this week though