How to make calls to https endpoints that use non standard http ports (port 443)

zshaik · July 19, 2017, 4:10pm

endpoints like

linkerd config

   routers:
    - protocol: http
      label: outgoing
      dtab: |
        /ph         => /$/io.buoyant.rinet;
        /external   => /$/io.buoyant.porthostPfx/ph | /ph/80;
        /srv        => /#/daemonset/default/http & /#/daemonset/zipkin/http | /#/daemonset/hello/http;
        /srv        => /#/daemonset/cnet/http;
        /host       => /srv;
        /svc        => /host | /external;
        /host/world => /srv/world-v1;
      client:
        failureAccrual:
          kind: io.l5d.consecutiveFailures
          failures: 1
          backoff:
            kind: constant
            ms: 100000
      servers:
      - port: 4140
        ip: 0.0.0.0
      client:
        kind: io.l5d.static
        configs:
        - prefix: /$/io.buoyant.rinet/443/{hostname}
          tls:
            commonName: "{hostname}"

Issue

Able to route to https://foo.corp.bar.com/query/id?wsdl over https on port 443
http_proxy=$L5D:4140 http://foo.corp.bar.com:443/query/id?wsdl
and it works!

But one of my endpoints works on other ports, http://foo.corp.bar.com:1122/query/id?wsdl

http_proxy=$L5D:4140 curl http://foo.corp.bar.com:1122/query/id?wsdl

Routing issue!

Alex · July 19, 2017, 6:08pm

Hi @zshaik,

The configuration that you’re using only uses TLS when sending to port 443. You can see that in the config here:

        - prefix: /$/io.buoyant.rinet/443/{hostname}
          tls:
            commonName: "{hostname}"

Of course, you can modify this configuration for your needs. Linkerd just needs some way to know which requests to use TLS for and which ones not to. You could add to the whitelist of TLS ports:

        - prefix: /$/io.buoyant.rinet/443/{hostname}
          tls:
            commonName: "{hostname}"
        - prefix: /$/io.buoyant.rinet/1122/{hostname}
          tls:
            commonName: "{hostname}"

Or you could use TLS for all egress requests:

        - prefix: /$/io.buoyant.rinet/*/{hostname}
          tls:
            commonName: "{hostname}"

Or you could set up a separate router that always uses TLS and let the application pick which router it sends to depending on if it wants TLS or not.

There are lots of options, hopefully this works for you!

system · August 18, 2017, 6:15pm

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.