spring-cloud/spring-cloud-gateway

Add a way to disable ProxyExchange hostname verification

Open

#346 opened on Jun 3, 2018

View on GitHub
 (2 comments) (0 reactions) (0 assignees)Java (3,204 forks)batch import
enhancementhelp wanted

Repository metrics

Stars
 (4,284 stars)
PR merge metrics
 (Avg merge 1d 21h) (18 merged PRs in 30d)

Description

I'm attempting to use gateway to bypass a load balancer and proxy a prometheus scrape request. I'm hitting an IP address directly, and setting the host header that the server is expecting.

This causes ssl issues.

I attempted to set spring.cloud.gateway.httpclient.ssl.use-insecure-trust-manager=true which got me past the initial error, but it now fails hostname verification:

  Caused by: java.security.cert.CertificateException: No subject alternative names matching IP address 1.2.3.4 found
     at sun.security.util.HostnameChecker.matchIP(HostnameChecker.java:168) ~[na:1.8.0_162]
     at sun.security.util.HostnameChecker.match(HostnameChecker.java:94) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:455) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkIdentity(X509TrustManagerImpl.java:436) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkTrusted(X509TrustManagerImpl.java:252) ~[na:1.8.0_162]
     at sun.security.ssl.X509TrustManagerImpl.checkServerTrusted(X509TrustManagerImpl.java:136) ~[na:1.8.0_162]
     at org.cloudfoundry.security.FileWatchingX509ExtendedTrustManager.checkServerTrusted(FileWatchingX509ExtendedTrustManager.java:73) ~[container_security_provider-1.11.0_RELEASE.jar:1.11.0.RELEASE]

Contributor guide