TLS handshake error

chakshu222 · April 22, 2019, 1:00pm

Hi,
I am using hydra version “oryd/hydra:v1.0.0-beta.9” with “server all” and it works great but when I deployed it behind a load balancer, I am getting these errors “http: TLS handshake error from 10.10.10.x:x: tls: first record does not look like a TLS handshake” and “http: TLS handshake error from 100.96.22.1:x: EOF” repeatedly in kubernetes pod logs, just the value of x keeps on changing. Also, when I try to hit any endpoint via browser, I get 502 Bad Gateway in response.

Can anyone help me in understanding what is the causing this issue and also how does allow_termination_from flag works.

TIA

hackerman · April 23, 2019, 6:59am

The flag forces Hydra into HTTP mode (an error tls: first record does not look like a TLS handshake always indicates that you’re expecting HTTPS but did not get HTTPS but - for example - HTTP. This can happen when you call https://foobar.com:443 but the 443 port is actually serving HTTP not HTTPS).

The idea of HTTPS_ALLOW_TERMINATION_FROM is to force Hydra into HTTP mode as it expects the LB or API Gateway to handle TLS Termination: https://en.wikipedia.org/wiki/TLS_termination_proxy

chakshu222 · April 24, 2019, 7:03am

Thanks for the response.
This error is because LB is sending HTTP request but hydra is expecting HTTPS. As per my understanding we have two options to resolve this, first one being forcing hydra to run in HTTP using –dangerous-force-http, If LB has proper certificates, will it be fine to force HTTP in production ? and second option is using HTTPS_ALLOW_TERMINATION_FROM for which I think I have to set IP address of every client who wants to connect with hydra.

If there is any other options please let me know and also which of the above do you recommend.

hackerman · April 24, 2019, 9:37am

If you have set HTTPS_ALLOW_TERMINATION_FROM and it’s not working it’s likely due to a misconfiguration. Can you please share your full config file / env vars?

chakshu222 · April 24, 2019, 1:30pm

Hi, I am setting IP as an env var

name: HTTPS_ALLOW_TERMINATION_FROM
value: 106.51.x.x/32

But getting error

level=warning msg=“Could not serve http connection” error=“Remote address 10.12.x.x does not match cidr ranges [106.51.x.x/32]”

I believe hydra is not picking up the address from where request originated but the last redirected address before hitting the server.

chakshu222 · May 3, 2019, 8:01am

Hi @hackerman, I have added OAUTH2_ISSUER_URL, HTTPS_ALLOW_TERMINATION_FROM, DATABASE_URL, OAUTH2_CONSENT_URL, OAUTH2_LOGIN_URL, OAUTH2_ERROR_URL and SYSTEM_SECRET as ENV VARs.
Any help would be much appreciated.