mTLS origination from egress gateway does not handle Redirect that contains `https` in the location

cyberjar09 · August 8, 2019, 9:11am

istio v 1.1
I was trying mutual tls origination example from the istio docs: https://doc.istio.cn/en/docs/examples/advanced-gateways/egress-gateway-mtls-origination/

I have setup an external server that expects mtls connections at example.com

when the sleep pod invokes: http://example.com
what I observe in the logs is:
[sleep pod] --(http)–> [sidecar] --(mtls)–> [egress gw] --(mtls)–> [ext svc]

basically it works as expected

sleep pod invokes: http://example.com/somepath
somepath has a redirect to https://example.com/someotherpath
Redirect to https then egress gw fails to intercept, app tries to connect to https and fails, because app does not have the server cert to negotiate mtls

SSL certificate problem: unable to get local issuer certificate
Closing connection 1
curl: (60) SSL certificate problem: unable to get local issuer certificate

seems odd that there is no mention of how to handle redirects that expect to connect to https.
any strategies on how this is handled? use istio policies to inspect 30x headers and change location from https to http? seems like a base case that needs to be handled or mentioned in the docs to me.

Topic		Replies	Views
mTLS origination for egress traffic with custom mTLS between client istio-proxy and egress gateway Security	1	3371	June 9, 2021
Issue with Egress Gateway with TLS Origination Networking	2	1984	March 23, 2022
Mutual TLS origination by Egress Gateway Security	2	772	April 12, 2019
Getting CERTIFICATE_VERIFY_FAILED during Mutual TLS with egress gw	2	1018	October 4, 2022
Cannot intercept TLS traffic with istio egress gateway Security security	1	1295	June 14, 2021

mTLS origination from egress gateway does not handle Redirect that contains `https` in the location

Related topics