We have the following setup (I am showing one of the target servers)
{ "name" : "SERVER-1", "host" : "server1.com", "isEnabled" : true, "port" : 8444, "sSLInfo": { "enabled": "true", "clientAuthEnabled": "true", "keyStore": "server-1.client", "keyAlias": "server-1.client.key", "ignoreValidationErrors": "false", "ciphers": [ ], "protocols": [ ] } }
Target Server configuration
<HTTPTargetConnection> <Properties> <Property name="use.proxy">true</Property> <Property name="use.proxy.tunneling">true</Property> </Properties> <LoadBalancer> <Server name="SERVER-1"/> <Server name="SERVER-2"/> </LoadBalancer> <Path>/path</Path> </HTTPTargetConnection>
When we make the request we get a `service not available` error
The same thing works
if we hit one of the targets directly without using targetservers feature on the proxy.
@Shailendra what do you think?
This sounds like a bug!
We are on Apigee SaaS.
Hi,
There was bug to do with SNI not being used with southbound and proxy. It might be you are hitting that issue. As I don't know which version you are using here are the 4.16.09.03 release notes:
See: APIRT-3832 (fixed)
So check if the target server needs SNI. Usually this test works. Run from an MP:
openssl s_client -connect target_dns_name:port (that would probably fail immediately )
openssl s_client -connect target_dns_name:port -servername target_dns_name (forces openssl to
send SNI extension) should progress further. If that is the case you need to upgrade.
As you have 2 way ssl setup you have to see where it fails as openssl would not have the client cert to send. You should be able to do a side by side lookup.