DevFW-CICD/ingress-nginx-helm
12
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ingress-nginx-helm/examples/multi-tls/haproxy/README.md
Joao Morais 4b73cc6d0c Add ingress.class support to HAProxy Ingress
2017-08-27 21:48:02 -03:00

1.7 KiB
Raw Blame History

HAProxy Multi TLS certificate termination

This example uses 2 different certificates to terminate SSL for 2 hostnames.

Prerequisites

This document has the following prerequisites:

  • Deploy HAProxy Ingress controller, you should end up with controller, a sample web app and default TLS secret
  • Create two secrets named foobar-ssl with subject '/CN=foo.bar' and barfoo-ssl with subject '/CN=bar.foo'

Using a new TLS certificate

Update ingress resource in order to add TLS termination to two hosts:

$ kubectl replace -f ingress-multi-tls.yaml

Trying without host:

$ curl -iL 10.129.51.55:30221           
HTTP/1.1 404 Not Found
Date: Tue, 28 Mar 2017 07:32:34 GMT
Content-Length: 21
Content-Type: text/plain; charset=utf-8

default backend - 404

Telling the controller we are foo.bar or bar.foo:

$ curl -iL 10.129.51.55:36462 -H 'Host: foo.bar'
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://foo.bar/
Connection: close
$ curl -iL 10.129.51.55:36462 -H 'Host: bar.foo'
HTTP/1.1 302 Found
Cache-Control: no-cache
Content-length: 0
Location: https://bar.foo/
Connection: close
^C

Note the Location header - this would redirect us to the correct server.

Checking the certificate - change below 31578 to the TLS port:

$ openssl s_client -connect 10.129.51.55:31578 -servername foo.bar
...
subject=/CN=foo.bar
issuer=/CN=foo.bar
---

... and bar.foo certificate:

$ openssl s_client -connect 10.129.51.55:31578 -servername bar.foo
...
subject=/CN=bar.foo
issuer=/CN=bar.foo
---