Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Invalid configuration generated with using protocol `HTTPSPROXY`

See original GitHub issue

When enabling protocol HTTPSPROXY generated configuration results in the following error when connecting via TLS:

error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number

This is a result of the proxyProtocolStack being set to [ “TLS”, “PROXY”, “HTTP”, “TCP” ], so TLS wrapping proxy wrapping HTTP wrapping TCP.

To Reproduce

Create a listener as such:

apiVersion: getambassador.io/v3alpha1
kind: Listener
metadata:
  name: http
  namespace: emissary
spec:
  port: 8443
  protocol: HTTPSPROXY
  securityModel: SECURE
  l7Depth: 0
  hostBinding:
    namespace:
      from: SELF

If using AWS NLB enable proxy protocol by setting the following annotation:

service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"

When attempting to connect to Emissary via https you will receive error error:1400410B:SSL routines:CONNECT_CR_SRVR_HELLO:wrong version number. Steps to reproduce the behavior:

Expected behavior

With proxy protocol enabled at the NLB and configured via protocol HTTPSPROXY a successful connection should be established.

Versions (please complete the following information):

Ambassador: 2.2.2
Kubernetes environment: AWS EKS 1.21

Issue Analytics

State:
Created 2 years ago
Reactions:1
Comments:5 (1 by maintainers)

Top GitHub Comments

1reaction

alexgervaiscommented, Mar 21, 2022

Thanks for the contribution @cyrus-mc ! I’ve assigned the PR review to a maintainer and will rely on the test automation to catch regressions.

0reactions

cyrus-mccommented, Mar 4, 2022

Reading the RFC

In both cases, the protocol simply consists in an easily parsable header placed by the connection initiator at the beginning of each connection

This to me seems to indicate that proxy wrapping TLS is the correct order and any other LB that differ from that are the one offs. So at the very least I think the default for HTTPSPROXY should be as noted here and updated in the PR.

Top Results From Across the Web

Getting Git to work with a proxy server - Stack Overflow

Command to use: git config --global http.proxy http://proxyuser:proxypwd@proxy.server.com:8080. change proxyuser to your proxy user; change proxypwd to your ...

HTTPProxy Fundamentals - Documentation

Invalid configuration is ignored and will be not used in the ingress routing configuration. Envoy will respond with an error when HTTP request...

HTTPS-Proxy: Content Inspection - WatchGuard Technologies

An HTTPS server proxy action specifies settings for inspection and routing of inbound HTTPS requests to an internal web server. When you select...

How to Configure Outbound HTTP and HTTPS Proxy for your ...

HTTP(S) Outbound Proxy support is configured in Atlassian ... the proxy server and the port that the HTTP protocol handler will use.

Accepting the PROXY Protocol | NGINX Plus

Using this data, NGINX can get the originating IP address of the client in several ways: ... To configure NGINX to accept PROXY...