Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add directive for SSL Server block #1934

Merged
merged 5 commits into from
May 7, 2024
Merged

Add directive for SSL Server block #1934

merged 5 commits into from
May 7, 2024
+28 −0

Conversation

salonichf5
Copy link
Contributor

@salonichf5 salonichf5 commented May 6, 2024
edited

Proposed changes

Problem: Users want to configure BackendTLS successfully with NGF.

Solution: Adds a directive proxy_ssl_server_name on in the server location block to avoid connection resets during SSL handshake.

Testing: Manual testing by installing NGF and verifying /etc/nginx/nginx.conf. Working with example

sa.choudhary@N9939CQ4P0 ~ % curl --resolve secure-app.example.com:$GW_PORT:$GW_IP http://secure-app.example.com:$GW_PORT/
Handling connection for 8080
hello from pod secure-app

nginx.conf

location / {


        proxy_set_header Host "$gw_api_compliant_host";
        proxy_set_header X-Forwarded-For "$proxy_add_x_forwarded_for";
        proxy_set_header Upgrade "$http_upgrade";
        proxy_set_header Connection "$connection_upgrade";
        proxy_pass https://default_secure-app_8443$request_uri;
        proxy_http_version 1.1;
        proxy_ssl_server_name on;
        proxy_ssl_verify on;
        proxy_ssl_name secure-app.example.com;
        proxy_ssl_trusted_certificate /etc/nginx/secrets/cert_bundle_default_backend-cert.crt;
    }

Please focus on (optional): If you any specific areas where you would like reviewers to focus their attention or provide
specific feedback, add them here.

Closes #1836

Checklist

Before creating a PR, run through this checklist and mark each as complete.

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

Release notes

If this PR introduces a change that affects users and needs to be mentioned in the release notes,
please add a brief note that summarizes the change.

Fixed issue when using BackendTLSPolicy that led to failed connections.

@salonichf5 salonichf5 requested a review from a team as a code owner May 6, 2024 20:13
@github-actions github-actions bot added the bug Something isn't working label May 6, 2024
@salonichf5 salonichf5 self-assigned this May 6, 2024
@sjberman
Copy link
Contributor

sjberman commented May 7, 2024

Can you update the release note section in the PR description to say something like "Fixed issue when using BackendTLSPolicy that led to failed connections."

@sjberman
Copy link
Contributor

sjberman commented May 7, 2024

Be sure to re-verify with the BackendTLSPolicy example to ensure it works.

@salonichf5
Copy link
Contributor Author

Yes, just verified it with the new location and if it picks the right path proxy or grpc

Be sure to re-verify with the BackendTLSPolicy example to ensure it works.

@salonichf5 salonichf5 requested a review from sjberman May 7, 2024 18:24
@salonichf5 salonichf5 merged commit 97c37e5 into nginxinc:main May 7, 2024
40 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sjberman sjberman sjberman approved these changes

@kate-osborn kate-osborn kate-osborn approved these changes

Assignees

@salonichf5 salonichf5

Labels
bug Something isn't working release-notes
Projects
NGINX Gateway Fabric
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

BackendTLS Policy support is not working
3 participants
@salonichf5 @sjberman @kate-osborn