I have been able to successfully get my proxy to use mTLS with my target servers.
However when I introduce Load Balancing with a Health Monitor, I notice that my proxy serves a few requests, but then very quickly all requests result in a "Service Unavailable - No Targets" error.
{
"fault": {
"faultstring": "The Service is temporarily unavailable",
"detail": {
"errorcode": "messaging.adaptors.http.flow.NoActiveTargets"
}
}
}
The logs of my backend (or target) servers identifies calls being made to the Health Monitor, but they all completed with a HTTP 403.7 - which reflects an error when a client certificate is not supplied.
#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port cs-username c-ip cs(User-Agent) cs(Referer) sc-status sc-substatus sc-win32-status time-taken
2022-07-12 10:29:36 10.53.112.17 GET /v1/health/readiness - 9898 - 10.52.18.7 Java/1.8.0_331 - 403 7 5 69
How can I get the Health Monitor to use mTLS?
Shouldn't it automatically use the SSLInfo (or mTLS config) defined in my TargetServer definition?
I am using Apigee Private Cloud - 4.51.
Code:
<HTTPTargetConnection>
<Properties>
<Property name="success.codes">1xx,2xx,3xx,400,403,429</Property>
</Properties>
<SSLInfo>
<Enabled>true</Enabled>
<ClientAuthEnabled>true</ClientAuthEnabled>
<KeyStore>ref://mytrustref</KeyStore>
<KeyAlias>id-cert</KeyAlias>
</SSLInfo>
<LoadBalancer>
<Algorithm>RoundRobin</Algorithm>
<Server name="node-1"/>
<Server name="node-2"/>
<MaxFailures>2</MaxFailures>
<RetryEnabled>false</RetryEnabled>
</LoadBalancer>
<HealthMonitor>
<IsEnabled>true</IsEnabled>
<IntervalInSec>5</IntervalInSec>
<HTTPMonitor>
<Request>
<ConnectTimeoutInSec>10</ConnectTimeoutInSec>
<SocketReadTimeoutInSec>30</SocketReadTimeoutInSec>
<Port>9898</Port>
<Verb>GET</Verb>
<Path>v1/health/readiness</Path>
<IncludeHealthCheckIdHeader>true</IncludeHealthCheckIdHeader>
</Request>
<SuccessResponse>
<ResponseCode>200</ResponseCode>
</SuccessResponse>
</HTTPMonitor>
</HealthMonitor>
<Path>v1</Path>
</HTTPTargetConnection>
My TargetServers are defined as
<TargetServer name="node-1">
<IsEnabled>true</IsEnabled>
<Host>myserver01.org.com</Host>
<Port>9898</Port>
<SSLInfo>
<Ciphers/>
<ClientAuthEnabled>true</ClientAuthEnabled>
<Enabled>true</Enabled>
<IgnoreValidationErrors>false</IgnoreValidationErrors>
<KeyAlias>id-cert</KeyAlias>
<KeyStore>ref://mytrustref</KeyStore>
<Protocols/>
</SSLInfo>
</TargetServer>
<TargetServer name="node-2">
<IsEnabled>true</IsEnabled>
<Host>myserver02.org.com</Host>
<Port>9898</Port>
<SSLInfo>
<Ciphers/>
<ClientAuthEnabled>true</ClientAuthEnabled>
<Enabled>true</Enabled>
<IgnoreValidationErrors>false</IgnoreValidationErrors>
<KeyAlias>id-cert</KeyAlias>
<KeyStore>ref://mytrustref</KeyStore>
<Protocols/>
</SSLInfo>
</TargetServer>
Reference:
<ResourceReference name="mytrustref">
<Refers>mystore</Refers>
<ResourceType>KeyStore</ResourceType>
</ResourceReference>
Appreciate any pointers you may have
Ok just found this documentation
https://docs.apigee.com/api-platform/deploy/load-balancing-across-backend-servers
“The HTTPMonitor supports backend services configured to use HTTP and one-way HTTPS protocols. However, it does not support the following:
I guess my question now pivots to : Is the support for mTLS Health Monitors on the products roadmap?
Yes, there’s an open ticket in the backlog. The reference is b/157869914 . I don’t have any insight into the schedule or priority of the work.