Enable redirecting http traffic to secured upstream servers
Closed this issue · 7 comments
Currently only http upstream servers can be used. This will require to also change the external interface configuration form in MI's cloud views and atmosphere's REST API to convey the additional attribute saying if the upstream server is secured with https.
With @dharezlak we performed test where https->proxy->https->vm communication was established.
Redirus is ready for such change. Options capability can be used to distinguish if http or https should be used in proxy_pass directive. The only thing needed here is to change templates.
Atmosphere on the other hand need to be changed to support this feature. Boolean value should be added into Port Mapping Template (e.g. upstream_https) and this value should be converted into option while sending request into Redirus.
@nowakowski, @tbartynski this task priority should be increased. In plgrid we have a situation where https->https communication should be established.
Another solution of the problem would be to:
- remove
https/httpsPortMappingTemplatetype, onlyhttpORhttps - redirus will establish
http->httporhttps->httpscommunication.
What is your opinion?
Can we establish https->https without triggering a MIM-type situation?
Yeap, I was able to establish such connection before creating this issue. To be 100% sure we can recreate such situation on Monday 😄
That's good news. I like the idea of removing HTTP and HTTPS; IMHO this option never made much sense. :)
I have mixed filings about it. On one hand you are right, for user it is quite strange that https->http connections are created. On the other hand https->http is much faster than https->https and we can treat inter tenant communication as "safe".
@mkasztelnik I fully agree; what I was trying to say is that it's weird to have both an HTTP and an HTTPS redirection to an application service (you'll typically want one or the other); hence this menu option is confusing and could be removed.