Behind my Nginx-Ingress-Controller, I have two services. Service A is configured with one-way TLS; while Service B is configured with two-way TLS. When I curl Service B, I found it is actually a one-way TLS because it doesn’t need me to specify a client certificate and a key. After investigation, I find the direct reason is A and B are sharing the same hostname, only their context paths are different. So when TLS handshake is initiated and client is happy with the server’s certificate. Nginx needs to decide whether it should ask fo the client to present a certificate i.e. one-way or two-way. But all Nginx knows is the domain name from the SNI(Service Name Indictor), it can’t get the context path because the HTTP connection is not established yet. The context path is in the HTTP header. So Nginx has two matching configuration with that hostname, one says one-way the other says two-way. For some reason Nginx falls back to one-way TLS. Once we change them to use different domain names, both are working well.
You may also enjoy
06:37 September 12, 2021
Went to Ottawa in our Labour Day week vacation. Haven’t been on a road trip for 2 years. Traffic was good. Food was delacious.
08:45 May 19, 2021
16:02 April 02, 2021
There is a refresh button in many resource pages of AWS web console. I have to click it manually to refresh. It doesn’t poll intermitentlly like GCP. I was p...
20:29 March 14, 2021
I’ve been using my iPad as my secondary screen when I use my MacBook in my sunroom. Connecting and disconnecting the sidecar screen is an annoying chore. I w...