Re: Passthrough TLS route not working

2018-01-19 Thread Marc Boorshtein 
Hm, then you lose the ability to do cookie based load balancing

On Fri, Jan 19, 2018, 5:11 PM Joel Pearson 
wrote:

> In the reference implementation they use Classic ELB load balancers in TCP
> mode:
>
> See this cloud formation template:
> https://github.com/openshift/openshift-ansible-contrib/blob/master/reference-architecture/aws-ansible/playbooks/roles/cloudformation-infra/files/greenfield.json.j2#L763
>
> On Sat, Jan 20, 2018 at 8:55 AM Joel Pearson <
> japear...@agiledigital.com.au> wrote:
>
>> What mode are you running the AWS load balancers in? You probably want to
>> run them as TCP load balancers and not HTTP. That way as you say the SNI
>> will not get messed with.
>> On Sat, 20 Jan 2018 at 4:45 am, Marc Boorshtein 
>> wrote:
>>
>>> So if I bypass the AWS load balancer, everything works great.  Why
>>> doesn't HAProxy like the incoming requests?  I'm trying to debug the issue
>>> by enabling logging with
>>>
>>> oc set env dc/router ROUTER_SYSLOG_ADDRESS=127.0.0.1 ROUTER_LOG_LEVEL=debug
>>>
>>> But the logging doesn't seem to get there (I also tried a remote server as 
>>> well).  I'm guessing this is probably an SNI configuration issue?
>>>
>>>
>>>
>>> On Fri, Jan 19, 2018 at 11:59 AM Marc Boorshtein 
>>> wrote:
>>>
 I'm running origin 3.7 on AWS.  I have an AWS load balancer in front of
 my infrastructure node.  I have a pod listening on TLS on port 9090.  The
 service links to the pod and then I have a route that is setup with
 passthrough tls to the pod, but every time i try to access it I get the
 "Application is not availble" screen even though looking in the console the
 service references both the router and the pod.  I have deployments that do
 the same thing but will only work with re-encrypt.  Am I missing
 something?  Is there an issue using the AWS load balancer with passthrough?

 Thanks

>>> ___
>>> users mailing list
>>> users@lists.openshift.redhat.com
>>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>>
>>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Passthrough TLS route not working

2018-01-19 Thread Joel Pearson 
In the reference implementation they use Classic ELB load balancers in TCP
mode:

See this cloud formation template:
https://github.com/openshift/openshift-ansible-contrib/blob/master/reference-architecture/aws-ansible/playbooks/roles/cloudformation-infra/files/greenfield.json.j2#L763

On Sat, Jan 20, 2018 at 8:55 AM Joel Pearson 
wrote:

> What mode are you running the AWS load balancers in? You probably want to
> run them as TCP load balancers and not HTTP. That way as you say the SNI
> will not get messed with.
> On Sat, 20 Jan 2018 at 4:45 am, Marc Boorshtein 
> wrote:
>
>> So if I bypass the AWS load balancer, everything works great.  Why
>> doesn't HAProxy like the incoming requests?  I'm trying to debug the issue
>> by enabling logging with
>>
>> oc set env dc/router ROUTER_SYSLOG_ADDRESS=127.0.0.1 ROUTER_LOG_LEVEL=debug
>>
>> But the logging doesn't seem to get there (I also tried a remote server as 
>> well).  I'm guessing this is probably an SNI configuration issue?
>>
>>
>>
>> On Fri, Jan 19, 2018 at 11:59 AM Marc Boorshtein 
>> wrote:
>>
>>> I'm running origin 3.7 on AWS.  I have an AWS load balancer in front of
>>> my infrastructure node.  I have a pod listening on TLS on port 9090.  The
>>> service links to the pod and then I have a route that is setup with
>>> passthrough tls to the pod, but every time i try to access it I get the
>>> "Application is not availble" screen even though looking in the console the
>>> service references both the router and the pod.  I have deployments that do
>>> the same thing but will only work with re-encrypt.  Am I missing
>>> something?  Is there an issue using the AWS load balancer with passthrough?
>>>
>>> Thanks
>>>
>> ___
>> users mailing list
>> users@lists.openshift.redhat.com
>> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>>
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Passthrough TLS route not working

2018-01-19 Thread Joel Pearson 
What mode are you running the AWS load balancers in? You probably want to
run them as TCP load balancers and not HTTP. That way as you say the SNI
will not get messed with.
On Sat, 20 Jan 2018 at 4:45 am, Marc Boorshtein 
wrote:

> So if I bypass the AWS load balancer, everything works great.  Why doesn't
> HAProxy like the incoming requests?  I'm trying to debug the issue by
> enabling logging with
>
> oc set env dc/router ROUTER_SYSLOG_ADDRESS=127.0.0.1 ROUTER_LOG_LEVEL=debug
>
> But the logging doesn't seem to get there (I also tried a remote server as 
> well).  I'm guessing this is probably an SNI configuration issue?
>
>
>
> On Fri, Jan 19, 2018 at 11:59 AM Marc Boorshtein 
> wrote:
>
>> I'm running origin 3.7 on AWS.  I have an AWS load balancer in front of
>> my infrastructure node.  I have a pod listening on TLS on port 9090.  The
>> service links to the pod and then I have a route that is setup with
>> passthrough tls to the pod, but every time i try to access it I get the
>> "Application is not availble" screen even though looking in the console the
>> service references both the router and the pod.  I have deployments that do
>> the same thing but will only work with re-encrypt.  Am I missing
>> something?  Is there an issue using the AWS load balancer with passthrough?
>>
>> Thanks
>>
> ___
> users mailing list
> users@lists.openshift.redhat.com
> http://lists.openshift.redhat.com/openshiftmm/listinfo/users
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users

Re: Passthrough TLS route not working

2018-01-19 Thread Marc Boorshtein 
So if I bypass the AWS load balancer, everything works great.  Why doesn't
HAProxy like the incoming requests?  I'm trying to debug the issue by
enabling logging with

oc set env dc/router ROUTER_SYSLOG_ADDRESS=127.0.0.1 ROUTER_LOG_LEVEL=debug

But the logging doesn't seem to get there (I also tried a remote
server as well).  I'm guessing this is probably an SNI configuration
issue?



On Fri, Jan 19, 2018 at 11:59 AM Marc Boorshtein 
wrote:

> I'm running origin 3.7 on AWS.  I have an AWS load balancer in front of my
> infrastructure node.  I have a pod listening on TLS on port 9090.  The
> service links to the pod and then I have a route that is setup with
> passthrough tls to the pod, but every time i try to access it I get the
> "Application is not availble" screen even though looking in the console the
> service references both the router and the pod.  I have deployments that do
> the same thing but will only work with re-encrypt.  Am I missing
> something?  Is there an issue using the AWS load balancer with passthrough?
>
> Thanks
>
___
users mailing list
users@lists.openshift.redhat.com
http://lists.openshift.redhat.com/openshiftmm/listinfo/users