🐛 Remove HTTPS from WAF
RPS Service Release: R24
Context
In the following merge requests, we configured Traefik (which is used to route traffic to the proper RPS containers) as a L7 router:
- config-controller!48 (merged)
- waf!28 (merged)
- nginx-ansible-collection!30 (merged)
- nginx-ansible-collection!31 (merged)
- nginx-ansible-playbooks!20 (merged)
As a result, the Traefik is now responsible for SSL termination (HTTPS support).
Actual Behavior
When the Traefik tries to connect to the WAF container to proxy the incoming requests, it does so using HTTPS.
But the WAF container still serves the public X.509 certificate.
This lead to a certificate validation problem. The Traefik connects to the WAF using its IP address, but the certificate's common name is a DNS name and possess no SAN with the VM's IP address.
The result is a 500 Internal Server Error returned by Traefik, as shown in the logs bellow.
On top of that, months ago, we faced a performance problem when we had multiple layers of the RPS doing SSL termination (see #2 (closed) ), which led us to removing SSL termination on the NGINX container.
Desired Behavior
The Traefik, WAF and NGINX containers all run on the same VM, and are all part of the same Docker Network. Neither the WAF or the NGINX containers expose any port publicly. This means that only the Traefik can exchange data with them, and all data transit through the VM's loopback interface.
There is literally no gain to encrypt the traffic between those containers (there would be if they were on distinct VMs).
If we were to keep encrypting the traffic between the Traefik and WAF container, we would have to setup the following configuration in Traefik:
serversTransport:
insecureSkipVerify: trueThus, accepting certificates deemed invalid by Traefik.
This is why the better solution, in order to avoid reintroducing performance problems, and fix the certificate validation issue, is to remove HTTPS from the WAF container.
Relevant Logs
2025-07-02T05:47:33Z ERR 500 Internal Server Error error="tls: failed to verify certificate: x509: cannot validate certificate for *.*.*.* because it doesn't contain any IP SANs"