Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Contour WebSocket Secure traffic throwing 503 errors via end-to-end TLS over 443 #963

Closed
krisdock opened this issue Mar 28, 2019 · 3 comments
Closed

Contour WebSocket Secure traffic throwing 503 errors via end-to-end TLS over 443 #963

krisdock opened this issue Mar 28, 2019 · 3 comments
Assignees
@stevesloka
Labels
duplicate

Comments

@krisdock
Copy link

What steps did you take and what happened:
Trying to use Contour to not only allow HTTPS path based route matching/fanout to two backend webserver pods/containers (either via passthrough or termination/re-sign hop), but also a third backend that listens/replies to WebSocket Secure (wss) requests.

In order to take advantage of multi-HTTPS path based routing/fanout, the contour.heptio.com/upstream-protocol.h2: "443" service annotation has been used on the fronting services. Unfortunately, this method doesn’t offer TLS certificate validation of the backend connection, which appears to be required for WebSocket Secure communication (e.g. receiving 503 errors - “Error during WebSocket handshake: Unexpected response code: 503”).

What did you expect to happen:
The TLS connection to be successful.

Anything else you would like to add:
We are able to successfully establish websocket over HTTP (port 80)

Tried adding/removing the h2 suffix from the service annotation referenced above though the same error result occurs

Noticed in the following article that WebSocket Secure may not be possible over HTTP/2, and HTTP1 must be used? (https://daniel.haxx.se/blog/2016/06/15/no-websockets-over-http2/)

Sample to help with understanding and developing the solution: A sample project with Play/Akka backend can be found here: https://github.com/jdelgadillo/contour-sample. Here's the yaml to deploy to k8s: https://github.com/jdelgadillo/contour-sample/blob/master/kubernetes/playapp.yaml.

The contour-test-public.westus2.cloudapp.azure.com value can be replaced with the public hostname of your cluster/contour ingress endpoint (currently port 80 is specified on line 83 but need it to be 443 without throwing an error, which it currently does).
The WebSocket connection can be found here using port 80 on the backend (but again, require backend traffic over port 443 without errors): wss://contour-test-public.westus2.cloudapp.azure.com/ws
HTTP is also enabled here: https://contour-test-public.westus2.cloudapp.azure.com/, but fails when changing to 443

Environment:

  • Contour version:
  • Kubernetes version: (use kubectl version): 1.12.5
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):
@stevesloka stevesloka self-assigned this Mar 28, 2019
@stevesloka
Copy link
Member

#569 #406 #813 #852

@davecheney
Copy link
Contributor

@krisdock thank you for raising this issue. I'm going to close it as a duplicate of #813.

Duplicates #813

@davecheney
Copy link
Contributor

Please see #406 (comment)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@stevesloka stevesloka

Labels
duplicate
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@davecheney @stevesloka @krisdock