Comments (10)
andrewwebber
commented on August 14, 2024
Below are the generated configuration files from version 0.18 and 0.19
root@localhost:/# cat /etc/nghttpx/nghttpx.conf 18
accesslog-file=/dev/stdout
include=/etc/nghttpx/nghttpx-backend.conf
frontend=*,80;no-tls
# API endpoints
frontend=127.0.0.1,3001;api;no-tls
frontend=*,443
# checksum is required to detect changes in the generated configuration and force a reload
# checksum: 6d06cd15764433cfb7157f3cb6d571aee57455b684404c6d507bdecc7b07c457
private-key-file=/etc/nghttpx-tls/brainloop_ingress-brainloop-cert.key
certificate-file=/etc/nghttpx-tls/brainloop_ingress-brainloop-cert.crt
# checksum: 0aab568950229dae8e20870641cf276b83894bf9b6c5a5935015f962aa16890e
subcert=/etc/nghttpx-tls/brainloop_ingress-cert.key:/etc/nghttpx-tls/brainloop_ingress-cert.crt
# checksum: 0aab568950229dae8e20870641cf276b83894bf9b6c5a5935015f962aa16890e
subcert=/etc/nghttpx-tls/kube-system_dashboard-ingress-cert.key:/etc/nghttpx-tls/kube-system_dashboard-ingress-cert.crt
# checksum: 31884b4a0f60d544c440750efdbf6700a1a13bc8555cfb90ba9bde3d40a4465f
subcert=/etc/nghttpx-tls/rhino-ci_gateway-external-cert.key:/etc/nghttpx-tls/rhino-ci_gateway-external-cert.crt
# checksum: ff2b53055f68aba15c9c5a39a48393ff228185a8c5f4760ddb469ed8bd13366f
subcert=/etc/nghttpx-tls/rhino-ci_ingress-thirdparty-cert.key:/etc/nghttpx-tls/rhino-ci_ingress-thirdparty-cert.crt
# for health check
frontend=127.0.0.1,8080;healthmon;no-tls
# default configuration by controller
workers=2
# from ConfigMap
insecure=yes
server-name=brainloop
no-via=yes
root@localhost:/# cat /etc/nghttpx/nghttpx-backend.conf
# brainloop/dox-build-mon-service,3000;build-mon.brainloopdevops.com/
backend=11.2.79.4,3000;build-mon.brainloopdevops.com/;proto=http/1.1;affinity=none
# brainloop/dox-platforms-service,3000;platforms.brainloopdevops.com/
backend=11.2.60.4,3000;platforms.brainloopdevops.com/;proto=http/1.1;affinity=none
# brainloop/dox-wiki-service,80;wiki.brainloopdevops.com/
backend=11.2.14.6,80;wiki.brainloopdevops.com/;proto=http/1.1;affinity=none
# brainloop/registry,5000;registry.brainloop.local/
backend=11.2.58.3,5000;registry.brainloop.local/;proto=http/1.1;affinity=none
# brainloop/registry-dashboard,80;registry.brainloopdevops.com/
backend=11.2.58.4,80;registry.brainloopdevops.com/;proto=http/1.1;affinity=none
# brainloop/support,80;support.brainloopdevops.com/
backend=11.2.79.7,80;support.brainloopdevops.com/;proto=http/1.1;affinity=none
# default/default-http-backend
backend=11.2.14.3,8080;;proto=http/1.1;affinity=none
# kube-system/kubernetes-dashboard,80;k8.brainloopdevops.com/
backend=11.2.10.2,9090;k8.brainloopdevops.com/;proto=http/1.1;affinity=none
# rhino-ci/gateway,443;dox.thirdparty.com/
backend=11.2.60.8,443;dox.thirdparty.com/;proto=h2;tls;dns;affinity=none
# rhino-ci/gateway,443;rhino-ci.brainloop.com/
backend=11.2.60.8,443;rhino-ci.brainloop.com/;proto=h2;tls;dns;affinity=none
# rhino-ci/pe,8040;dox.thirdparty.com/pe/
backend=11.2.14.9,8040;dox.thirdparty.com/pe/;proto=h2;tls;dns;affinity=none
# rhino-ci/pe,8040;rhino-ci.brainloop.com/pe/
backend=11.2.14.9,8040;rhino-ci.brainloop.com/pe/;proto=h2;tls;dns;affinity=none
# rhino-ci/push,8013;dox.thirdparty.com/push/
backend=11.2.14.10,8013;dox.thirdparty.com/push/;proto=http/1.1;tls;dns;affinity=none
# rhino-ci/push,8013;rhino-ci.brainloop.com/push/
backend=11.2.14.10,8013;rhino-ci.brainloop.com/push/;proto=http/1.1;tls;dns;affinity=none0.19
root@localhost:/# cat /etc/nghttpx/nghttpx.conf 19
accesslog-file=/dev/stdout
include=/etc/nghttpx/nghttpx-backend.conf
frontend=*,80;no-tls
# API endpoints
frontend=127.0.0.1,3001;api;no-tls
frontend=*,443
# checksum is required to detect changes in the generated configuration and force a reload
# checksum: e0036e880d9f20b72d6e91d5c61b35d9121149029c4c711b87d9332a4c44da7e 6e2c63ecde79168954f65d2ee05faff7a63f695a4cafb4ba5a5832e31b9ceea8
private-key-file=/etc/nghttpx-tls/brainloop_ingress-brainloop-cert.key
certificate-file=/etc/nghttpx-tls/brainloop_ingress-brainloop-cert.crt
# checksum: 4be0530f852c3288e47bea5d67c89db087899160ee5a39c2e5e8a544b5c32eb3 28f0ea725239151527fafe8223e5cf13589c42fac7e54bf5c171bbd16ebdf2c7
subcert=/etc/nghttpx-tls/brainloop_ingress-cert.key:/etc/nghttpx-tls/brainloop_ingress-cert.crt
# checksum: 4be0530f852c3288e47bea5d67c89db087899160ee5a39c2e5e8a544b5c32eb3 28f0ea725239151527fafe8223e5cf13589c42fac7e54bf5c171bbd16ebdf2c7
subcert=/etc/nghttpx-tls/kube-system_dashboard-ingress-cert.key:/etc/nghttpx-tls/kube-system_dashboard-ingress-cert.crt
# checksum: 97fc243814f7d8944b1dde29810be60d40303552e7b38ad544e043e93e8c4367 acf790c36440132bc7552a3c3efab29bfdc48db7dfe45fad4ba2a4db1de40e54
subcert=/etc/nghttpx-tls/rhino-ci_gateway-external-cert.key:/etc/nghttpx-tls/rhino-ci_gateway-external-cert.crt
# checksum: aabe8a51ed784f4e86b04c10df241cbdc89bd778862b9b939ba39a81d9a80c0c 402309b7507baba282fcc2e2d92cf6dba30aecf3407e02fade9a9b2d57b75d13
subcert=/etc/nghttpx-tls/rhino-ci_ingress-thirdparty-cert.key:/etc/nghttpx-tls/rhino-ci_ingress-thirdparty-cert.crt
# for health check
frontend=127.0.0.1,8080;healthmon;no-tls
# default configuration by controller
workers=2
# from ConfigMap
insecure=yes
server-name=brainloop
no-via=yes
root@localhost:/# cat /etc/nghttpx/nghttpx-backend.conf
# brainloop/dox-build-mon-service,3000;build-mon.brainloopdevops.com/
backend=11.2.79.4,3000;build-mon.brainloopdevops.com/;proto=http/1.1;affinity=none
# brainloop/dox-platforms-service,3000;platforms.brainloopdevops.com/
backend=11.2.60.4,3000;platforms.brainloopdevops.com/;proto=http/1.1;affinity=none;redirect-if-not-tls
# brainloop/dox-wiki-service,80;wiki.brainloopdevops.com/
backend=11.2.14.6,80;wiki.brainloopdevops.com/;proto=http/1.1;affinity=none
# brainloop/registry,5000;registry.brainloop.local/
backend=11.2.58.3,5000;registry.brainloop.local/;proto=http/1.1;affinity=none;redirect-if-not-tls
# brainloop/registry-dashboard,80;registry.brainloopdevops.com/
backend=11.2.58.4,80;registry.brainloopdevops.com/;proto=http/1.1;affinity=none;redirect-if-not-tls
# brainloop/support,80;support.brainloopdevops.com/
backend=11.2.79.7,80;support.brainloopdevops.com/;proto=http/1.1;affinity=none;redirect-if-not-tls
# default/default-http-backend
backend=11.2.14.3,8080;;proto=http/1.1;affinity=none
# kube-system/kubernetes-dashboard,80;k8.brainloopdevops.com/
backend=11.2.10.2,9090;k8.brainloopdevops.com/;proto=http/1.1;affinity=none;redirect-if-not-tls
# rhino-ci/gateway,443;dox.thirdparty.com/
backend=11.2.60.8,443;dox.thirdparty.com/;proto=h2;tls;dns;affinity=none;redirect-if-not-tls
# rhino-ci/gateway,443;rhino-ci.brainloop.com/
backend=11.2.60.8,443;rhino-ci.brainloop.com/;proto=h2;tls;dns;affinity=none;redirect-if-not-tls
# rhino-ci/pe,8040;dox.thirdparty.com/pe/
backend=11.2.14.9,8040;dox.thirdparty.com/pe/;proto=h2;tls;dns;affinity=none;redirect-if-not-tls
# rhino-ci/pe,8040;rhino-ci.brainloop.com/pe/
backend=11.2.14.9,8040;rhino-ci.brainloop.com/pe/;proto=h2;tls;dns;affinity=none;redirect-if-not-tls
# rhino-ci/push,8013;dox.thirdparty.com/push/
backend=11.2.14.10,8013;dox.thirdparty.com/push/;proto=http/1.1;tls;dns;affinity=none;redirect-if-not-tls
# rhino-ci/push,8013;rhino-ci.brainloop.com/push/
backend=11.2.14.10,8013;rhino-ci.brainloop.com/push/;proto=http/1.1;tls;dns;affinity=none;redirect-if-not-tls
from nghttpx-ingress-lb.
tatsuhiro-t
commented on August 14, 2024
I could not reproduce this.
I made 2 ingress resources:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: backend1
annotations:
kubernetes.io/ingress.class: "nghttpx"
spec:
tls:
- secretName: backend1
rules:
- host: bar.foo.com
http:
paths:
- path: /
backend:
serviceName: backend1
servicePort: 8080
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: backend2
annotations:
kubernetes.io/ingress.class: "nghttpx"
spec:
tls:
- secretName: backend2
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: backend2
servicePort: 8080Secret backend1 contains TLS certificate for *.foo.com
Secret backend2 contains TLS certificate for *.bar.com
And then run openssl s_client:
$ openssl s_client -connect <IP>:443 -servername bar.foo.com
...
subject=/C=.../CN=*.foo.com
$ openssl s_client -connect <IP>:443 -servername foo.bar.com
...
subject=/C=.../CN=*.bar.com
nghttpx.conf is as follows:
accesslog-file=/dev/stdout
include=/etc/nghttpx/nghttpx-backend.conf
frontend=*,80;no-tls
# API endpoints
frontend=127.0.0.1,3001;api;no-tls
frontend=*,443
# checksum is required to detect changes in the generated configuration and force a reload
# checksum: 67987df73308ccae439c7a76d4ccbcaef5076a24ebc7fa471223d2f20e96f3d4 d7b06e5522291ac238e446949e338e6c3e648b853a24a759d8f1e958dc68b0b0
private-key-file=/etc/nghttpx-tls/default_backend1.key
certificate-file=/etc/nghttpx-tls/default_backend1.crt
# checksum: bf205138f729f9c2a8ff24f146cd5a7f4f9209df23af249dce5522a3b6346af8 839b167a182420c6bd875933ed13ae265f5e6c38460e87c327c571d6e859aeca
subcert=/etc/nghttpx-tls/default_backend2.key:/etc/nghttpx-tls/default_backend2.crt
# for health check
frontend=127.0.0.1,8080;healthmon;no-tls
# default configuration by controller
workers=1
# from ConfigMap
from nghttpx-ingress-lb.
tatsuhiro-t
commented on August 14, 2024
@andrewwebber Could you share the minimum set of Ingresses to reproduce this issue, perhaps, using the Ingresses in my previous comment?
from nghttpx-ingress-lb.
tatsuhiro-t
commented on August 14, 2024
It looks like the regression of nghttpx causes this issue. I committed the fix into nghttp2 master. The next release will have the fix.
from nghttpx-ingress-lb.
andrewwebber
commented on August 14, 2024
@tatsuhiro-t how did you discover this regression and were you able to also reproduce it
from nghttpx-ingress-lb.
tatsuhiro-t
commented on August 14, 2024
I'm not sure the exact same issue, but the regression I found is that the bug causes nghttpx to select certificate which has wrong SAN. The exact fix commit is nghttp2/nghttp2@9c1876f.
I found this bug while I setup nghttp2.org with both RSA and ECDSA certificates.
from nghttpx-ingress-lb.
tatsuhiro-t
commented on August 14, 2024
@andrewwebber Could you test v0.23.0 to see that this issue is fixed?
from nghttpx-ingress-lb.
andrewwebber
commented on August 14, 2024
@tatsuhiro-t sure, no problem...
from nghttpx-ingress-lb.
andrewwebber
commented on August 14, 2024
@tatsuhiro-t I have now tested this it looks like its working - ingress controller with two different ssl certificates
$kubectl get ingress
NAME HOSTS ADDRESS PORTS AGE
guestbook-http guestbook.brainloopdevops.com 10.10.2.102,1... 80, 443 3m
guestbook2-http guestbook.brainloop.com 10.10.3.189,1... 80, 443 1mfrom nghttpx-ingress-lb.
tatsuhiro-t
commented on August 14, 2024
@andrewwebber Thank you! Let's close the issue.
from nghttpx-ingress-lb.
Related Issues (20)
- Permission denied error while running the container as a non root user HOT 2
- How to configure SSL Passthrough? HOT 1
- How if I only want to implement the HTTP3 on my nginx ingress ? HOT 1
- feature request: routing `type: ExternalName` services HOT 4
- Upgrade to nghttp2 v1.26.0 HOT 2
- Add PROXY protol support for frontend servers HOT 2
- ingress for grpc service HOT 2
- pls add ingress.zlab.co.jp/default-backend-config HOT 4
- request to add publish-service flag HOT 5
- redirect-if-not-tls in backend template HOT 2
- backendconfig API endpoint returned unsuccessful status code 413 HOT 5
- Don't depend on external "diff" command HOT 1
- Use debian-base-amd64 to reduce image size
- is it possible to watch several k8s namespaces? HOT 3
- how to debug the routing process HOT 10
- how load balancing works in nghttpx ingress HOT 9
- Does nghttpx ingress intercept errors? HOT 4
- Failed to start after changing the tls cert HOT 2
- support protocol H1 and H2 HOT 4
- Does this lb support traefik's PathPrefixStrip like feature HOT 6
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nghttpx-ingress-lb.