|
| 1 | +--- |
| 2 | +title: "TLS Passthrough" |
| 3 | +weight: 600 |
| 4 | +toc: true |
| 5 | +docs: "DOCS-1421" |
| 6 | +--- |
| 7 | + |
| 8 | +Learn how to passthrough TLS connection using NGINX Gateway Fabric. |
| 9 | + |
| 10 | +## Overview |
| 11 | + |
| 12 | +In this guide, we will show how to configure TLS passthrough for your application, using a [TLSRoute](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute). |
| 13 | + |
| 14 | +## Before you begin |
| 15 | + |
| 16 | +- [Install]({{< relref "installation/" >}}) NGINX Gateway Fabric. |
| 17 | +- Save the public IP address and port of NGINX Gateway Fabric into shell variables: |
| 18 | + |
| 19 | + ```text |
| 20 | + GW_IP=XXX.YYY.ZZZ.III |
| 21 | + GW_PORT=<port number> |
| 22 | + ``` |
| 23 | + |
| 24 | + Save the ports of NGINX Gateway Fabric: |
| 25 | + |
| 26 | + ```text |
| 27 | + GW_HTTP_PORT=<http port number> |
| 28 | + GW_HTTPS_PORT=<https port number> |
| 29 | + ``` |
| 30 | + |
| 31 | +{{< note >}}In a production environment, you should have a DNS record for the external IP address that is exposed, and it should refer to the hostname that the gateway will forward for.{{< /note >}} |
| 32 | + |
| 33 | +Create the tls-backend application by copying and pasting the following block into your terminal: |
| 34 | + |
| 35 | +```yaml |
| 36 | +kubectl apply -f - <<EOF |
| 37 | +apiVersion: apps/v1 |
| 38 | +kind: Deployment |
| 39 | +metadata: |
| 40 | + name: secure-app |
| 41 | +spec: |
| 42 | + replicas: 1 |
| 43 | + selector: |
| 44 | + matchLabels: |
| 45 | + app: secure-app |
| 46 | + template: |
| 47 | + metadata: |
| 48 | + labels: |
| 49 | + app: secure-app |
| 50 | + spec: |
| 51 | + containers: |
| 52 | + - name: secure-app |
| 53 | + image: nginxdemos/nginx-hello:plain-text |
| 54 | + ports: |
| 55 | + - containerPort: 8443 |
| 56 | + volumeMounts: |
| 57 | + - name: secret |
| 58 | + mountPath: /etc/nginx/ssl |
| 59 | + readOnly: true |
| 60 | + - name: config-volume |
| 61 | + mountPath: /etc/nginx/conf.d |
| 62 | + volumes: |
| 63 | + - name: secret |
| 64 | + secret: |
| 65 | + secretName: app-tls-secret |
| 66 | + - name: config-volume |
| 67 | + configMap: |
| 68 | + name: secure-config |
| 69 | +--- |
| 70 | +apiVersion: v1 |
| 71 | +kind: Service |
| 72 | +metadata: |
| 73 | + name: secure-app |
| 74 | +spec: |
| 75 | + ports: |
| 76 | + - port: 8443 |
| 77 | + targetPort: 8443 |
| 78 | + protocol: TCP |
| 79 | + name: https |
| 80 | + selector: |
| 81 | + app: secure-app |
| 82 | +--- |
| 83 | +apiVersion: v1 |
| 84 | +kind: ConfigMap |
| 85 | +metadata: |
| 86 | + name: secure-config |
| 87 | +data: |
| 88 | + app.conf: |- |
| 89 | + server { |
| 90 | + listen 8443 ssl; |
| 91 | + listen [::]:8443 ssl; |
| 92 | +
|
| 93 | + server_name app.example.com; |
| 94 | +
|
| 95 | + ssl_certificate /etc/nginx/ssl/tls.crt; |
| 96 | + ssl_certificate_key /etc/nginx/ssl/tls.key; |
| 97 | +
|
| 98 | + default_type text/plain; |
| 99 | +
|
| 100 | + location / { |
| 101 | + return 200 "hello from pod $hostname\n"; |
| 102 | + } |
| 103 | + } |
| 104 | +--- |
| 105 | +apiVersion: v1 |
| 106 | +kind: Secret |
| 107 | +metadata: |
| 108 | + name: app-tls-secret |
| 109 | +data: |
| 110 | + tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSURGRENDQWZ3Q0NRQ3EzQWxhdnJiaWpqQU5CZ2txaGtpRzl3MEJBUXNGQURCTU1Rc3dDUVlEVlFRR0V3SlYKVXpFTE1Ba0dBMVVFQ0F3Q1EwRXhGakFVQmdOVkJBY01EVk5oYmlCR2NtRnVZMmx6WTI4eEdEQVdCZ05WQkFNTQpEMkZ3Y0M1bGVHRnRjR3hsTG1OdmJUQWVGdzB5TURBek1qTXlNekl3TkROYUZ3MHlNekF6TWpNeU16SXdORE5hCk1Fd3hDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05VMkZ1SUVaeVlXNWoKYVhOamJ6RVlNQllHQTFVRUF3d1BZWEJ3TG1WNFlXMXdiR1V1WTI5dE1JSUJJakFOQmdrcWhraUc5dzBCQVFFRgpBQU9DQVE4QU1JSUJDZ0tDQVFFQTJCRXhZR1JPRkhoN2VPMVlxeCtWRHMzRzMrVEhyTEZULzdEUFFEQlkza3pDCi9oZlprWCt3OW1NNkQ1RU9uK2lpVlNhUWlQMm1aNFA3N29pR0dmd3JrNjJ0eEQ5cHphODM5NC9aSjF5Q0dXZ1QKK2NWUEVZbkxjQktzSTRMcktJZ21oWVIwUjNzWWRjR1JkSXJWUFZlNUVUQlk1Z1U0RGhhMDZOUEIraitmK0krWgphWGIvMlRBekJhNHozMWpIQzg2amVQeTFMdklGazFiY3I2cSsxRGR5eklxcWxkRDYvU3Q4Q2t3cDlOaDFCUGFhCktZZ1ZVd010UVBib2s1cFFmbVMrdDg4NHdSM0dTTEU4VkxRbzgyYnJhNUR3emhIamlzOTlJRGhzbUt0U3lWOXMKaWNJbXp5dHBnSXlhTS9zWEhRQU9KbVFJblFteWgyekd1WFhTQ0lkRGtRSURBUUFCTUEwR0NTcUdTSWIzRFFFQgpDd1VBQTRJQkFRQ0tsVkhOZ1k5VHZLaW9Xb0tvdllCdnNRMmYrcmFOOEJwdWNDcnRvRm15NUczcGIzU2lPTndaCkF2cnhtSm4vR3lsa3JKTHBpQVA1eUNBNGI2Y2lYMnRGa3pQRmhJVFZKRTVBeDlpaEF2WWZwTUFSdWVqM29HN2UKd0xwQk1iUnlGbHJYV29NWUVBMGxsV0JueHRQQXZYS2Y4SVZGYTRSSDhzV1JJSDB4M2hFdjVtQ3VUZjJTRTg0QwpiNnNjS3Z3MW9CQU5VWGxXRVZVYTFmei9rWWZBa1lrdHZyV2JUcTZTWGxodXRJYWY4WEYzSUMrL2x1b3gzZThMCjBBcEFQVE5sZ0JwOTkvcXMrOG9PMWthSmQ1TmV6TnlJeXhSdUtJMzlDWkxuQm9OYmkzdlFYY1NzRCtYU2lYT0cKcEVnTjNtci8xRms4OVZMSENhTnkyKzBqMjZ0eWpiclcKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo= |
| 111 | + tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2Z0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktnd2dnU2tBZ0VBQW9JQkFRRFlFVEZnWkU0VWVIdDQKN1Zpckg1VU96Y2JmNU1lc3NWUC9zTTlBTUZqZVRNTCtGOW1SZjdEMll6b1BrUTZmNktKVkpwQ0kvYVpuZy92dQppSVlaL0N1VHJhM0VQMm5OcnpmM2o5a25YSUlaYUJQNXhVOFJpY3R3RXF3amd1c29pQ2FGaEhSSGV4aDF3WkYwCml0VTlWN2tSTUZqbUJUZ09GclRvMDhINlA1LzRqNWxwZHYvWk1ETUZyalBmV01jTHpxTjQvTFV1OGdXVFZ0eXYKcXI3VU4zTE1pcXFWMFByOUszd0tUQ24wMkhVRTlwb3BpQlZUQXkxQTl1aVRtbEIrWkw2M3p6akJIY1pJc1R4VQp0Q2p6WnV0cmtQRE9FZU9LejMwZ09HeVlxMUxKWDJ5SndpYlBLMm1Bakpveit4Y2RBQTRtWkFpZENiS0hiTWE1CmRkSUloME9SQWdNQkFBRUNnZ0VCQUxYaW16ODZrT1A0bkhBcTFPYVEyb2l3dndhQTczbTNlUytZSm84eFk4NFcKcmxyNXRzUWR5dGxPcEhTd05yQjBSQnNNTU1XeFNPQ0JJWlltUlVVZ200cGd2Uk9rRWl2OG9VOThQMkE4SnFTKwprWHBFRjVCNi84K2pXRmM0Z1Q4SWhlMEZtR0VJQllvelhYL08wejBsV0h4WXg2MHluWUoycU9vS1FKT3A5YjlsCmpiUVBkaC9mN2ErRWF0RzZNUFlrNG5xSEY3a0FzcmNsRXo2SGUvaEx6NmRkSTJ1N2RMRjB6QlN0QjM5WDFRZysKZ1JzTittOXg1S1FVTXYxMktvajdLc2hEelozOG5hSjd5bDgycGhBV1lGZzBOZHlzRlBRbmt0WmlNSUxOblFjNwpOeUt0cHNQaUxIRE9ha05hdEZLU2lOaUJrUk1lY1ZUMlJNMzMzUG54bFVFQ2dZRUEvYTY5MEEralU4VFJNbVZyCk4vRnlYWkxYa1c5b2NxVjBRbTA0TDMrSExybFNCTlRWSzk2U1pVT203VjViTzIxNmd4S2dJK3IwYm5kdE5GTUQKLzFncDhsdlJNcUlIeGZTeUo4SHpsSzViT0lnaUpxRGhzK3BKWTZmLytIVzZ1QkZyN3NGS3lxbVlIQlA0SC9BdApsT3lLeEVjMHFXazFlT2tCMWNNSGx0WDRwemtDZ1lFQTJncDhDVDVYWjNMSWRQN2M1SHpDS1YwczBYS1hGNmYyCkxzclhPVlZaTmJCN1NIS1NsOTBIU2VWVGx3czdqSnNxcC9yWFY2aHF0eUdEaTg4aTFZekthcEF6dXl3b0U3TnEKMUJpd2ZYSURQeTlPNUdGNXFYNXFUeENzSWNIcmo2Z21XMEZVQWhoS1lQcDRxd1JMdzFMZkJsd3U1VmhuN3I3ego0SkZBTEFpdlp4a0NnWUJicnpuKzVvZjdFSmtqQTdDYWlYTHlDczVLUzkrTi8rcGl6NktNMkNSOWFKRVNHZkhwClp3bTErNXRyRXIwYVgxajE0bGRxWTlKdjBrM3ZxVWs2a2h5bThUUk1mbThjeG5GVkdTMzF3SVpMaWpmOWlndkkKd0paQnBFaEkvaE83enVBWmJGYWhwR1hMVUJSUFJyalNxQ01IQ1UwcEpWTWtIZUtCNVhqcXRPNm5VUUtCZ0NJUAp6VHlzYm44TW9XQVZpSEJ4Uk91dFVKa1BxNmJZYUU3N0JSQkIwd1BlSkFRM1VjdERqaVh2RzFYWFBXQkR4VEFrCnNZdFNGZ214eEprTXJNWnJqaHVEbDNFLy9xckZOb1VYcmtxS2l4Tk4wcWMreXdDOWJPSVpHcXJUWG5jOHIzRkcKRFZlZWI5QWlrTU0ya3BkYTFOaHJnaS8xMVphb1lmVE0vQmRrNi9IUkFvR0JBSnFzTmFZYzE2clVzYzAzUEwybApXUGNzRnZxZGI3SEJyakVSRkhFdzQ0Vkt2MVlxK0ZWYnNNN1FTQVZ1V1llcGxGQUpDYzcrSEt1YjRsa1hRM1RkCndSajJLK2pOUzJtUXp1Y2hOQnlBZ1hXVnYveHhMZEE3NnpuWmJYdjl5cXhnTVVjTVZwZGRuSkxVZm9QVVZ1dTcKS0tlVVU3TTNIblRKUStrcldtbUxraUlSCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K |
| 112 | +EOF |
| 113 | +``` |
| 114 | + |
| 115 | +This will create the **secure-app** service and a deployment. Run the following command to verify the resources were created: |
| 116 | + |
| 117 | +```shell |
| 118 | +kubectl get pods,svc |
| 119 | +``` |
| 120 | + |
| 121 | +Your output should include the **secure-app** pod and the **secure-app** service: |
| 122 | + |
| 123 | +```text |
| 124 | +NAME READY STATUS RESTARTS AGE |
| 125 | +pod/secure-app-575785644-kzqf6 1/1 Running 0 12s |
| 126 | +
|
| 127 | +NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE |
| 128 | +service/secure-app ClusterIP 192.168.194.152 <none> 8443/TCP 12s |
| 129 | +``` |
| 130 | + |
| 131 | +Next, let's create a gateway. This will create TLS listener with the hostname *.example.com. Copy paste this into your terminal. |
| 132 | + |
| 133 | +```yaml |
| 134 | +kubectl apply -f - <<EOF |
| 135 | +apiVersion: gateway.networking.k8s.io/v1beta1 |
| 136 | +kind: Gateway |
| 137 | +metadata: |
| 138 | + name: gateway |
| 139 | + namespace: default |
| 140 | +spec: |
| 141 | + gatewayClassName: nginx |
| 142 | + listeners: |
| 143 | + - name: tls |
| 144 | + port: 443 |
| 145 | + protocol: TLS |
| 146 | + hostname: "*.example.com" |
| 147 | + allowedRoutes: |
| 148 | + namespaces: |
| 149 | + from: All |
| 150 | + kinds: |
| 151 | + - kind: TLSRoute |
| 152 | + tls: |
| 153 | + mode: Passthrough |
| 154 | +EOF |
| 155 | +``` |
| 156 | + |
| 157 | +Finally, let's create a TLS Route. This will reference our service and the gateway. |
| 158 | + |
| 159 | +```yaml |
| 160 | +kubectl apply -f - <<EOF |
| 161 | +apiVersion: gateway.networking.k8s.io/v1alpha2 |
| 162 | +kind: TLSRoute |
| 163 | +metadata: |
| 164 | + name: tls-secure-app-route |
| 165 | + namespace: default |
| 166 | +spec: |
| 167 | + parentRefs: |
| 168 | + - name: gateway |
| 169 | + namespace: default |
| 170 | + hostnames: |
| 171 | + - "cafe.example.com" |
| 172 | + - "app.example.com" |
| 173 | + rules: |
| 174 | + - backendRefs: |
| 175 | + - name: secure-app |
| 176 | + port: 8443 |
| 177 | +EOF |
| 178 | +``` |
| 179 | + |
| 180 | +## Send Traffic |
| 181 | + |
| 182 | +Using the external IP address and port for NGINX Gateway Fabric, we can send traffic to our coffee application. |
| 183 | + |
| 184 | +{{< note >}}If you have a DNS record allocated for `cafe.example.com`, you can send the request directly to that hostname, without needing to resolve.{{< /note >}} |
| 185 | + |
| 186 | +To test that NGINX sends an HTTPS redirect, we will send requests to the `secure-app` service on the HTTPS port. |
| 187 | + |
| 188 | +```shell |
| 189 | +curl --resolve cafe.example.com:$GW_PORT:$GW_IP https://cafe.example.com:$GW_PORT --insecure |
| 190 | +``` |
| 191 | + |
| 192 | +```text |
| 193 | +hello from pod secure-app-575785644-kzqf6 |
| 194 | +``` |
0 commit comments