Hello everyone, good morning!
I need some assistance on my case.
In internal network, I am using CA and certificate, both self-signed and I configured them into a secret that is being set in the tls, credentialName of my gateway object. This certificate has in its SAN “*.mydomain.com”.
Outside my cluster, I have an NGinx with a fix IP, that is registered into my internal DNS as mydomain.com. With the same certificate, not using http2, using https, I would be able to have multiple gateways, in different namespaces, using the same secret, and having these gateways hosts of subdomain, for example, Gateway 1 as app1.mydomain.com and Gateway 2 as app2.mydomain.com, but both linked to the same secret.
The NGinx outside the cluster does an stream to the Istio Gateway (Service exposed as NodePort) as below:
worker_processes 4;
worker_rlimit_nofile 40000;
events {
worker_connections 8192;
}
http {
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
}
stream {
upstream istio_gateway_servers_https {
least_conn;
server IP01_K8S_ISTIO_WORKER_NODE:31846 max_fails=3 fail_timeout=5s;
server IP02_K8S_ISTIO_WORKER_NODE:31846 max_fails=3 fail_timeout=5s;
server IP03_K8S_ISTIO_WORKER_NODE:31846 max_fails=3 fail_timeout=5s;
}
server {
listen 443;
proxy_pass istio_gateway_servers_https;
}
}
For internal network it is fine but now I need to expose that into the internet. I tried to use another NGinx in the DMZ network as a reverse proxy to the NGinx that does the stream but without success. I am always receiving SSL handshake error.
Does anybody have similar topology or could help me to solve that in a different way?
Thanks everyone for your time.