This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Edge does not honour use.proxy when targetserver is configured

Posted on 08-30-2017 10:07 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We have the following setup (I am showing one of the target servers)

{
  "name" : "SERVER-1",
  "host" : "server1.com",
  "isEnabled" : true,
  "port" : 8444,
  "sSLInfo": {
      "enabled": "true",
      "clientAuthEnabled": "true",
      "keyStore": "server-1.client",
      "keyAlias": "server-1.client.key",
      "ignoreValidationErrors": "false",
      "ciphers": [ ],
      "protocols": [ ]
    }
 }

Target Server configuration

<HTTPTargetConnection>
        <Properties>
            <Property name="use.proxy">true</Property>
            <Property name="use.proxy.tunneling">true</Property>
        </Properties>

	<LoadBalancer>
            <Server name="SERVER-1"/>
            <Server name="SERVER-2"/>
        </LoadBalancer>
        <Path>/path</Path>
    </HTTPTargetConnection>

When we make the request we get a `service not available` error

The same thing works

if we hit one of the targets directly without using targetservers feature on the proxy.

0 3 333
Topic Labels
0 Likes
3 REPLIES 3

Posted on --/--/---- --:-- AM
DChiesa
Staff
Reply posted on --/--/---- --:-- AM

@Shailendra what do you think?

This sounds like a bug!

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
In response to DChiesa
Reply posted on --/--/---- --:-- AM

We are on Apigee SaaS.

0 Likes

Posted on --/--/---- --:-- AM
Not applicable
Reply posted on --/--/---- --:-- AM

Hi,

There was bug to do with SNI not being used with southbound and proxy. It might be you are hitting that issue. As I don't know which version you are using here are the 4.16.09.03 release notes:

4.16.09.03 release notes.

See: APIRT-3832 (fixed)

So check if the target server needs SNI. Usually this test works. Run from an MP:

openssl s_client -connect target_dns_name:port (that would probably fail immediately )

openssl s_client -connect target_dns_name:port -servername target_dns_name (forces openssl to

send SNI extension) should progress further. If that is the case you need to upgrade.

As you have 2 way ssl setup you have to see where it fails as openssl would not have the client cert to send. You should be able to do a side by side lookup.

0 Likes