Upstream http and https protocol under one upstream

Hi all,

I have been trying to add two target under one upstream, one of which is on HTTP and the other one is HTTPS. I am not sure how to acheive that, I tried adding target like: https:10.32.9.123:443 but that didn’t work.

It seems like there is a limitation that the targets could either be on HTTP or HTTPS, is there a workaround to this. My kong config file looks like below:

_format_version: "2.1"

_transform: true

services:
- name: test-server-public
  protocol: http
  host: test-endpoint-upstream
  port: 8000
  retries: 3
  connect_timeout: 5000
  routes:
  - name: test-route
    paths:
    - /test
upstreams:
- name: test-endpoint-upstream
  targets:
  - target: target-url:8080
    weight: 999
  - target: target-https-url:443
    weight: 1
  healthchecks:
    active:
      concurrency: 2
      http_path: /
      type: http
      healthy:
        interval: 0
        successes: 1
        http_statuses:
        - 200
        - 302
      unhealthy:
        http_failures: 3
        interval: 10
        tcp_failures: 3
        timeouts: 3
        http_statuses:
        - 429
        - 404
        - 500
        - 501
        - 502
        - 503
        - 504
        - 505
    passive:
      type: http
      healthy:
        successes: 1
        http_statuses:
        - 200
        - 201
        - 202
        - 203
        - 204
        - 205
        - 206
        - 207
        - 208
        - 226
        - 300
        - 301
        - 302
        - 303
        - 304
        - 305
        - 306
        - 307
        - 308
      unhealthy:
        http_failures: 1
        tcp_failures: 1
        timeouts: 1
        http_statuses:
        - 429
        - 500
        - 503
  slots: 1000

As mentioned by the Developer, the load balancer ( upstream entity) operates at layer 4 (TCP/IP level) not layer 7 (HTTP/HTTPS). So there is a Kong limitation to define different upstream protocols.

Hello,

You should control the protocol used on the Service object instead. If the upstreams are backed by different protocols, then they have to be separate. e.g. no mix of HTTP and HTTPS target under the same upstream.