HTTPS between AWS ELB and Kong

Questions
1

I currently have kong-0.10.1 deployed in a Kubernetes container behind an AWS ELB. The ELB is configured as follows:

45%20PM
Screen Shot 2019-02-25 at 1.31.45 PM.png2108×228 25.2 KB

You’ll notice the protocol setup is --https–> ELB; then ELB --https–> Kong

With this setup, I am able to successfully curl the DNS name of the ELB, and get a response back from Kong.

However, if I leave the ELB configured as shown above and upgrade Kong to 0.10.2 (or really any version after 0.10.1 – I tried all the way up to 0.15), the request seems to hang in the ELB, and I never see any logs written to stdout (or /usr/local/kong/logs)

Here’s what my k8s resource definitions look like:

---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: kong
  labels:
    app: kong
spec:
  replicas: 1
  selector:
    matchLabels:
      app: kong
  template:
    metadata:
      labels:
        app: kong
    spec:
      containers:
      - name: kong
        image: kong:0.14.1
        ports:
        - containerPort: 8000
        - containerPort: 8443
        - containerPort: 8001
        - containerPort: 8444
        - containerPort: 7946
        env:
        - name: KONG_DATABASE
          value: "postgres"
        - name: KONG_PG_HOST
          value: "postgres"
        - name: KONG_PG_DATABASE
          value: "kong"
        - name: KONG_PG_USER
          value: "kong"
        - name: KONG_PG_PASSWORD
          value: "kong"
        - name: KONG_PROXY_ACCESS_LOG
          value: "/dev/stdout"
        - name: KONG_PROXY_ERROR_LOG
          value: "/dev/stderr"
        - name: KONG_PROXY_ADMIN_LOG
          value: "/dev/stdout"
        - name: KONG_PROXY_ADMIN_LOG
          value: "/dev/stderr"

---
kind: Service
apiVersion: v1
metadata:
  name: kong
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: {{ redacted }}
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
spec:
  type: LoadBalancer
  selector:
    app: kong
  ports:
  - name: ssl
    protocol: TCP
    port: 443
    targetPort: 8443
  externalTrafficPolicy: Cluster
  loadBalancerSourceRanges:
  - {{ redacted }}

I’ve also tried having the ELB have to endpoints: TLS and non-TLS. Both endpoints work with 0.10.1; only the non-TLS endpoint works with 0.10.2.

I didn’t notice anything in the kong CHANGELOG (specifically between 0.10.1 and 0.10.2, although I did look all the up to 0.15) that jumped out at me as something that would affect this behavior.

Thanks in advance for your help!

2

So I was able to get TLS between the ELB and Kong to work by setting KONG_SSL_CIPHER_SUITE to intermediate (modern is the default). According to the Kong CHANGELOG this was updated in 0.10.3, so I can’t quite piece together why 0.10.2 doesn’t work, but hopefully folks aren’t stuck on the 0.10.x versions any more anyway.

In either case, I can confirm this setting works for 0.14.1. And for posterity’s sake, here’s the Kong documentation on the ssl_cipher_suite setting and here are the Mozilla docs detailing the difference between modern and intermediate

1 Like