Hi guys, I have a problem with HTTPS connections when i pass the annotation of AWS to use my certificate on ACM service.
When I try to connect in my NLB using http request I received the return from kong running on my eks cluster, but when I try the https request i received erro 400:
400 Bad Request The plain HTTP request was sent to HTTPS port
This is my code, sry, I can’t put it in the post.
This is my code from service kong-proxy:
apiVersion: v1
kind: Service
metadata:
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: [my-certificate]
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: '*'
name: kong-proxy
namespace: kong
spec:
ports:
Can u can help me with ideas? Thx!
Do you have verbose HTTP response output available? e.g.: curl -vvv $URL
Hi there, I too am noticing this issue. @shane here is my verbose output. I redacted some info from the response.
* Connected to XXXXXX.com (123.123.123.123) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/cert.pem
* CApath: none
* (304) (OUT), TLS handshake, Client hello (1):
* (304) (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: CN=*.XXXXX.com. < ACM arn certificate loaded properly with appropriate hostname
* start date: Jan 20 00:00:00 2022 GMT
* expire date: Feb 18 23:59:59 2023 GMT
* issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
* SSL certificate verify ok.
> POST /auth HTTP/1.1
> Host: XXXXX.com
> User-Agent: curl/7.79.1
> accept: application/json
> Content-Type: application/json
> Content-Length: 76
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 400 Bad Request
< Date: Thu, 14 Apr 2022 18:10:35 GMT
< Content-Type: text/html; charset=UTF-8
< Content-Length: 220
< Connection: close
< X-Kong-Response-Latency: 0
< Server: kong/2.8.0
<
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body>
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
</body>
</html>
* Closing connection 0
* TLSv1.2 (IN), TLS alert, close notify (256):
* TLSv1.2 (OUT), TLS alert, close notify (256):
My Service is setup the same way as @lucao
Also to note, HTTP works correctly but ideally I have to re-route to HTTP(S)
Output from Kong:
[ingress-kong-558cd9dd85-4rrxv proxy] 2022/04/14 18:16:40 [warn] 1109#0: *10527 using uninitialized "kong_proxy_mode" variable while logging request, client: 10.0.154.134, server: kong, request: "POST /auth HTTP/1.1", host: "XXXXX.com"
[ingress-kong-558cd9dd85-4rrxv proxy] 2022/04/14 18:16:40 [warn] 1109#0: *10527 [lua] reports.lua:83: log(): [reports] could not determine log suffix (scheme=http, proxy_mode=) while logging request, client: 10.0.154.134, server: kong, request: "POST /auth HTTP/1.1", host: "XXXX.com"
[ingress-kong-558cd9dd85-4rrxv proxy] 10.0.154.134 - - [14/Apr/2022:18:16:40 +0000] "POST /auth HTTP/1.1" 400 220 "-" "curl/7.79.1"
Just an update from my side, I managed to get NLB to work.
apiVersion: v1
kind: Service
metadata:
annotations:
external-dns.alpha.kubernetes.io/hostname: XXX.com
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: https
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: XXX
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
service.beta.kubernetes.io/aws-load-balancer-type: nlb
name: kong-proxy
namespace: kong
spec:
ports:
- name: proxy
port: 80
protocol: TCP
targetPort: 8000
- name: proxy-ssl
port: 443
protocol: TCP
targetPort: 8000
selector:
app: ingress-kong
type: LoadBalancer
If I try to setup my Downstream Service to enforce HTTPS and return a redirect, I get an endless redirect loop. I suspect its due to me switching the targetPort of the ssl config to 8000. Debugging continues.