Uploaded image for project: 'Red Hat 3scale API Management'
  1. Red Hat 3scale API Management
  2. THREESCALE-6394

Document TLS issues with Fuse custom policy

XMLWordPrintable

    • Icon: Task Task
    • Resolution: Done
    • Icon: Major Major
    • 2.9 GA, 2.10 GA
    • 2.9 GA
    • Documentation
    • None
    • integration-doc-2020-12-07, integration-doc-2020-12-28, 3scale-doc-2021-01-04, 3scale-doc-2021-01-25, 3scale-doc-2021-02-15

      Talking to folk trying to implement Fuse custom policy and one thing we could help clarify better is the support for TLS (HTTPS) when implementing a custom policy in Fuse.

      We need to explain that HTTP tunneling, i.e. CONNECT verb, is not (intentionally) supported.

      We cannot support it, as in that case the traffic would be end-to-end encrypted, and the point of adding the custom policy is to mediate the traffic.

      We can and do support exposing the Fuse custom policy via TLS (HTTPS), in order to have the traffic encrypted, but the proxy protocol is HTTP proxy protocol, not HTTP tunneling.

      In essence there are at least two HTTPS sessions: client to APICast and then APICast to Fuse custom policy. Most commonly there is a third: Fuse custom policy to the backend service.

      For that reason using a HTTP client with configured HTTPS proxy will not be successful, as any/most HTTP clients when connecting through a HTTP proxy towards a HTTPS backend will use HTTP tunnelling (the CONNECT verb).

      When connecting to HTTPS backend services via Fuse custom policy proxy APICast will use HTTP proxy protocol, and that's why this issue can be only seen if trying to connect directly to the Fuse custom policy proxy, i.e. bypassing APICast.

      Instead of a HTTP client to test the Fuse custom policy proxy one can use netcat, for example:

      $ print "GET https://example.com HTTP/1.1\nHost: example.com\nAccept: */*\n\n" | ncat --no-shutdown --ssl camel-proxy 8443
      

      That example connects to camel-proxy host on port 8443 using TLS, indicated by the --ssl parameter of netcat and creates a HTTP proxy request (notice the full URL after the GET verb).

      cc stmccart1@redhat.com ecotoper

              Unassigned Unassigned
              zregvart@redhat.com Zoran Regvart
              Stephen McCarthy Stephen McCarthy
              Stephen McCarthy Stephen McCarthy
              Votes:
              2 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: