envoyproxy/envoy

Certificates for double proxy (mTLS)

Open

#26.228 aperta il 21 mar 2023

Vedi su GitHub
 (4 commenti) (0 reazioni) (1 assegnatario)C++ (5373 fork)batch import
area/docsarea/examplesbughelp wantedinvestigatequestion

Metriche repository

Star
 (27.997 star)
Metriche merge PR
 (Merge medio 8g) (378 PR mergiate in 30 g)

Descrizione

Title: Certificates for double proxy (mTLS)

Description:

The envoy docs has an example of running double proxy using Envoy for postgres. However, the docs does not cover which certificate is to be used where. The guide generates 2 certificates with the same key. The docker-compose file in the repo refers to the certificates in a different name, making it not clear on which certificate to use on which machine(container).

A section to clarify that in the guide would be helpful.

I am following the same guide and have generated certificates for AWS EC2's internal DNS name. However I get the error TLS error: 268435581:SSL routines:OPENSSL_internal:CERTIFICATE_VERIFY_FAILED on the client side and TLS error: 268436502:SSL routines:OPENSSL_internal:SSLV3_ALERT_CERTIFICATE_UNKNOWN on the server side.

Server Envoy TLS config section -

transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.DownstreamTlsContext
          require_client_certificate: true
          common_tls_context:
            validation_context:
              trusted_ca:
                filename: /home/ubuntu/certs/ca.crt
            tls_certificates:
              - certificate_chain: { filename: "/home/ubuntu/certs/ip-10-0-101-153.ap-south-1.compute.internal.crt" } # ip-10-0-101-153 is the IP of the server machine
                private_key: { filename: "/home/ubuntu/certs/ap-south-1.compute.internal.key" }

Client Envoy TLS config section -

transport_socket:
        name: envoy.transport_sockets.tls
        typed_config:
          "@type": type.googleapis.com/envoy.extensions.transport_sockets.tls.v3.UpstreamTlsContext
          common_tls_context:
            tls_certificates:
            - certificate_chain:
                filename: /home/ubuntu/certs/ip-10-0-101-74.ap-south-1.compute.internal.crt # ip-10-0-101-74 is the IP of the client machine
              private_key:
                filename: /home/ubuntu/certs/ap-south-1.compute.internal.key
                #tls_params:
                #tls_minimum_protocol_version: TLSv1_2
                #tls_maximum_protocol_version: TLSv1_2
            validation_context:
              match_subject_alt_names:
                - exact: ip-10-0-101-74.ap-south-1.compute.amazonaws.com
              trusted_ca:
                filename: /home/ubuntu/certs/ca.crt

[optional Relevant Links:] https://www.envoyproxy.io/docs/envoy/latest/start/sandboxes/double-proxy

Guida contributor