spring-cloud/spring-cloud-gateway

Add a way to disable ProxyExchange hostname verification

Open

#346 aperta il 3 giu 2018

Vedi su GitHub
 (2 commenti) (0 reazioni) (0 assegnatari)Java (3204 fork)batch import
enhancementhelp wanted

Metriche repository

Star
 (4284 star)
Metriche merge PR
 (Merge medio 1g 21h) (18 PR mergiate in 30 g)

Descrizione

I'm attempting to use gateway to bypass a load balancer and proxy a prometheus scrape request. I'm hitting an IP address directly, and setting the host header that the server is expecting.

This causes ssl issues.

I attempted to set spring.cloud.gateway.httpclient.ssl.use-insecure-trust-manager=true which got me past the initial error, but it now fails hostname verification:

  Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 1.2.3.4 found
     at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168) ~[na:1.8.0_162]
     at sun.security.util.HostnameChecker.match(HostnameChecker.java:94) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[na:1.8.0_162]
     at org.cloudfoundry.security.FileWatchingX509ExtendedTrustManager.checkServerTrusted(FileWatchingX509ExtendedTrustManager.java:73) ~[container_security_provider-1.11.0_RELEASE.jar:1.11.0.RELEASE]

Guida contributor