-
Notifications
You must be signed in to change notification settings - Fork 82
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS requests are sent over HTTP instead of HTTPS #1028
TLS requests are sent over HTTP instead of HTTPS #1028
Comments
Hello, |
Hmmm yeah very weird. @spyrosmouchlianitis are you able to share the ingress configuration you used by any chance (details anonymised where needed)? Looking at the logs you posted, it feels like the ingress controller is trying to establish a http connection with the interceptor proxy just on port 443. |
@zorocloud Updated with my configuration |
Thanks @spyrosmouchlianitis. Looking at your ingress configuration, it seems that you are sending the request to the interceptor proxy over HTTP (port 8080). Even though you have configured TLS to be enabled in the interceptor proxy's configuration, you need to send the request to the interceptor on it's exposed HTTPS port (8443 by default) in order to have the onward request sent over HTTPS. This is because the interceptor proxy will expose both an HTTP and HTTPS server when TLS is enabled, and the HTTP server will always evaluate Could you please try updating your Ingress configuration to send traffic to the interceptor proxy over HTTPS (port 8443)? That should hopefully solve your issue 🙂. |
I found the issue. I had to modify the interceptor's proxy service and add the 8443 port apiVersion: v1
kind: Service
metadata:
name: keda-add-ons-http-interceptor-proxy
spec:
ports:
- name: https
port: 8443
protocol: TCP
targetPort: https
- name: proxy
port: 8080
targetPort: proxy I also had to update the interceptor's deployment and add the port 8443 ports:
- containerPort: 8443
name: https
protocol: TCP as well as, update my ingress to send the requests to port 8443 instead of 8080. I think the documentation for the TLS should be enhanced to include these necessary changes. Right now, it implies that you only need to set the following parameters:
|
Sweet, glad you are up and running now 👍. I think what we probably need to do is update the helm chart for the Add-on to add the necessary configuration to those resources when TLS is enabled. Then theoretically everything will just work out of the box without any extra manual configuration (either by hand or with Kustoimize). @JorTurFer is a separate ticket needed in the repository where you keep the charts to get these updates in? |
@zorocloud would you be willing to update the helm chart please? You can reference this issue in the PR, no need to open another one. Thanks! |
Sure! Raised a PR in the chart repo though have an open question on there @zroubalik. |
@spyrosmouchlianitis |
Report
I've setup the http-add-on with TLS enabled. The certificates are read from the add-on and TLS verification works correctly. My issues is when I send an
https
request to my ingress controller, the interceptor instead of sending the request to my service viahttps
it switches tohttp
.According to this, shouldn't it work via
https
if TLS is enabled?http-add-on/interceptor/middleware/routing.go
Lines 67 to 83 in 0793ece
I've tried sending the same request the add-on is attempting but with
https
and it works as expected.Ingress configuration
HTTPScaledObject
Service
Deployment
Expected Behavior
Interceptor should send requests via
https
Actual Behavior
Interceptor sends requests via
http
Steps to Reproduce the Problem
https
Logs from KEDA HTTP operator
HTTP Add-on Version
0.8.0
Kubernetes Version
1.28
Platform
Microsoft Azure
Anything else?
No response
The text was updated successfully, but these errors were encountered: