locked
Https service and Reverse Proxy RRS feed

  • Question

  • Hi,

    I've just stumbled on a weird problem playing with service fabric on premises. (version 6.4.637)

    The reverse proxy is configured to use https on port 433, and if I expose an HTTP endpoint in the service fabric:/Ooopses/OoopsApi I can reach the service through the reverse proxy using URL https://any_node_cluster/Ooopses/OoopsApi/api/diagnostics 

    I can also reach the service directly using http://a_cluster_node:45555/api/diagnostics

    But if I expose the service's API through HTTPS I can only reach the service directly - using https://a_cluster_node:45555/api/diagnostics, an attempt to reach the service through rev proxy   fails with 504 FABRIC_E_TIMEOUT (after two minutes)

    The certificate used on service is generated by our AD cert authority, the browser sees it as a valid certificate (but postman does not work until SSL certificate is not turned off). I also tried to use the cluster's server certificate as a service's certificate, but it did not help. 

    ApplicationCertificateValidationPolicy is left at its default: None (Reverse proxy skips verification of the proxied service certificate and establishes the secure connection) 

    What am I doing wrong?





    Thursday, February 28, 2019 9:31 AM

All replies

  • What exactly are you trying to achieve here? End goal? 
    Thursday, February 28, 2019 10:27 PM
  • What am I trying to achieve? 

    The top-level goal is a migration of ~100 (micro)services from application servers (partly still clustered NT services, partly A-A services using consul for discovery) to SF (first on premises). During the migration that will last for months, there will be pretty much traffic between the services in SF, and the ones outside SF. 

    I wanted to use the reverse proxy because of better scaling - that way I don't need an instance of every service (reachable from outside of SF) on every node. But the rules here are: communication needs to be encrypted and every client needs to authenticate. I thought I will be able to use client certificates to authenticate the clients (Setting up client certificate authentication through the reverse proxy) and https web API gateways to every bounded context  :-) Do that make sense? 

    Friday, March 1, 2019 7:23 AM
  • Got it. Thank you :) 

    I am checking internally on this. Will update with more information. 

    Monday, March 4, 2019 11:35 PM
  •  reverse proxy dignostics:

    https://docs.microsoft.com/en-us/azure/service-fabric/service-fabric-reverse-proxy-diagnostics

    What events are seen? Based on the error code in the events, we might be able to provide more troubleshooting info.

    For on prem these events (going into datamessaging channels) should be visible in event viewer also
    Wednesday, March 13, 2019 4:34 PM