Code development platform for open source projects from the European Union institutions

♻️ Traefik L7

RPS Service Release: R24

Actual Behavior

SSL termination is done on the WAF container, which requires Traefik to be on layer 4, and routing the TCP packets for HTTPS directly (TCP passthrough), without interpreting the contained HTTP request.

The Traefik L4 does HTTPS routing using what is called HostSNI: since the request is encrypted, it cannot use the HTTP Host header, so instead it will use the SNI field of the TLS certificate used during the handshake.

This introduce some unneeded complexity if the Traefik L4 is behind another reverse proxy or load balancer that does their own SSL Termination. Any certificate used in the bubble would need to be pushed to that reverse proxy or load balancer, otherwise they might provided us with a wildcard certificate that Traefik L4 would not be able to use for routing using HostSNI.

Desired Behavior

SSL Termination should be moved to the Traefik so that we can put it on layer 7 instead.

This way, we can route requests using the request's Host header.

This has the side effect to make the Proxy protocol introduced in config-controller!14 (merged) no more required.

Relevant Logs

N/A
Edited by David Jose DELASSUS

For further information about the platform and support, please see https://code.europa.eu/info/about