I use kubernetes cluster with haproxy-ingress in tcp mode to transfer traffic to more nginx servers that will be terminate ssl connections
and there is some configs that are specified
Config for daemonset with haproxy-ingress
data:
proxy-body-size: "20m"
log-format: https-log-format
balance-algorithm: roundrobin
nbproc: "4"
nbthread: "4"
proxy-body-size: "20m"
log-format: https-log-format
balance-algorithm: roundrobin
nbproc: "4"
nbthread: "4"
and there is config for ingress
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/ssl-passthrough: "true"
kubernetes.io/ingress.class: "haproxy"
kind: Ingress
metadata:
annotations:
ingress.kubernetes.io/ssl-passthrough: "true"
kubernetes.io/ingress.class: "haproxy"
22.01.2019, 16:59, "Maxim Dounin" <mdou...@mdounin.ru>:
Hello!
On Mon, Jan 21, 2019 at 11:59:25PM +0300, Алексей wrote:I use nginx 1.13.6 as server for mutual tls auth with clients certs
Note that 1.13.6 is a mainline version which is not supported
since release of 1.13.7 at 21 Nov 2017. You may want to upgrade
to a more recent version, e.g., latest mainline is 1.15.8.During ab test I get errors ssl read failed(5) closing connection
Error 5 is SSL_ERROR_SYSCALL suggests that futher information is
available in errno, and ab does not try to test/log errno. You
may want to use strace / ktrace / truss to find out which error
actually happened.In nginx log (debug mode) I get
2019/01/21 23:50:01 [debug] 26#26: *27497 http check ssl handshake
2019/01/21 23:50:01 [debug] 26#26: *27497 http recv(): 1
2019/01/21 23:50:01 [debug] 26#26: *27497 https ssl handshake: 0x16
2019/01/21 23:50:01 [debug] 26#26: *27497 tcp_nodelay
2019/01/21 23:50:01 [debug] 26#26: *27497 SSL server name: "meteotravel.ru"
2019/01/21 23:50:01 [debug] 26#26: *27497 SSL_do_handshake: -1
2019/01/21 23:50:01 [debug] 26#26: *27497 SSL_get_error: 2
2019/01/21 23:50:01 [debug] 26#26: *27497 reusable connection: 0
2019/01/21 23:50:02 [debug] 26#26: *27497 SSL handshake handler: 0
2019/01/21 23:50:02 [debug] 26#26: *27497 SSL_do_handshake: -1
2019/01/21 23:50:02 [debug] 26#26: *27497 SSL_get_error: 5
2019/01/21 23:50:02 [info] 26#26: *27497 peer closed connection in SSL handshake while SSL handshaking, client: 10.244.5.0, server: 0.0.0.0:443--
From nginx point of view, the connection was closed by the client.
The error as returned by OpenSSL is SSL_ERROR_SYSCALL, and errno
is 0 so it is not logged. This indicate a clean TCP-level
connection close by the other side.
Maxim Dounin
http://mdounin.ru/
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
--
С уважением, Алексей.
С уважением, Алексей.
_______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
