Giter Site home page Giter Site logo

Comments (4)

krancour avatar krancour commented on August 22, 2024

I'll have to look into this further, but I suspect that what is happening is that in the absence of a vhost listening on 443 for domain.two, the traffic is flowing instead to the the vhost for domain.one, because, as the only vhost listening on 443, it would be the default vhost for 443.

If you were to install platform-wide SSL using a wildcard cert, this issue would go away, because it would explicitly introduce a default vhost listening on 443 that would be a catch-all for any HTTPS traffic that didn't match any other vhost.

Note that In the absence of a platform-wide, wildcard SSL cert, it's not possible to explicitly implement a catch-all, default vhost... because what cert would we use?

I don't see this as a bug so much as just the way Nginx works. That being said, I can look into what other options might exist for simply dropping requests that aren't an exact match for any of the defined vhosts.

from router.

krancour avatar krancour commented on August 22, 2024

So what I could do is if a platform-wide wildcard cert has not been provided, I could use a self-signed cert for a default vhost listening on 443. It would return just return 404s. The downside is anyone requesting HTTPS for a domain that doesn't support it will get a cert warning that would stop them from ever getting the 404 (unless the willfully ignore the cert warning). But this is still probably better than the behavior you have observed.

from router.

vdice avatar vdice commented on August 22, 2024

I see. With the background info provided, I can proceed with writing a test using a wildcard cert to get the behavior I'm looking for. That being said, if the 'fix' sounds reasonable, apart from simply representing an adjustment to help testing (although it is nice when those happen :)), then I'd be in support of it.

from router.

krancour avatar krancour commented on August 22, 2024

@vdice note that providing an SSL cert for use platform-wide must be done at the time of platform installation, so it requires an addition to the chart. I'm not sure if your tests currently support that. Alternatively, I guess the manifest for it could just be submitted directly using kubectl.

Here's the doc on how it's done:

https://github.com/deis/router#default-certificate-example

from router.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.