Mutual TLS over HTTPS on calls via the ingress gateway - is this possible?

#1

Hi All

Is there a possible configuration for mtls between the ingress gateway and an application in the mesh IF the application endpoint being called is HTTPS?

This is what I’m trying to achieve:

https calls coming in from the internet to be terminated at the gateway (this is what my current setup looks like) then forwarded to the application as a https request, with mutual tls on the layer 4 tcp traffic between the gateway and the sidecar of the application being called.

I believe I’m doing this correctly for HTTPS calls WITHIN the mesh from one application to another as per the docs at https://istio.io/docs/tasks/security/https-overlay/ “The reason is that for the workflow “sleep -> sleep-proxy -> nginx-proxy -> nginx”, the whole flow is L7 traffic, and there is a L4 mutual TLS encryption between sleep-proxy and nginx-proxy . In this case, everything works fine.”

However I’m failing to achieve this with calls from the gateway to a backend HTTPS app (error = “http request sent to a https server”). The only way I can configure my https app to work is by putting in a destination rule with tls SIMPLE mode and a policy that allows none mtls traffic to that specific application. (as the rest of the mesh is set to destination rule mtls, policy mtls for all services).

When I refer to the documentation I notice that the server side proxy in this instance maybe downgrading HTTPS to HTTP:

“kubectl exec $(kubectl get pod -l app=sleep -o jsonpath={.items…metadata.name}) -c istio-proxy – curl https://my-nginx -k”

“The reason is that for the workflow “sleep-proxy -> nginx-proxy -> nginx”, nginx-proxy is expected mutual TLS traffic from sleep-proxy. In the command above, sleep-proxy does not provide client cert. As a result, it won’t work. Moreover, even sleep-proxy provides client cert in above command, it won’t work either since the traffic will be downgraded to http from nginx-proxy to nginx.”

Based on the above is it the case that because the call in my environment is being done from the ingress gateway itself to the HTTPS application, the server side proxy is downgrading my HTTPS call and ultimately leading to the error “http request sent to a https server”? If this is the case, is there anything that can be done to achieve what I would like from the pic above? and why does the server side envoy proxy automatically downgrade HTTPS calls?

Many Thanks