TLS handshake error


#1

Hi,
I am using hydra version “oryd/hydra:v1.0.0-beta.9” with “server all” and it works great but when I deployed it behind a load balancer, I am getting these errors “http: TLS handshake error from 10.10.10.x:x: tls: first record does not look like a TLS handshake” and “http: TLS handshake error from 100.96.22.1:x: EOF” repeatedly in kubernetes pod logs, just the value of x keeps on changing. Also, when I try to hit any endpoint via browser, I get 502 Bad Gateway in response.

Can anyone help me in understanding what is the causing this issue and also how does allow_termination_from flag works.

TIA


#2

The flag forces Hydra into HTTP mode (an error tls: first record does not look like a TLS handshake always indicates that you’re expecting HTTPS but did not get HTTPS but - for example - HTTP. This can happen when you call https://foobar.com:443 but the 443 port is actually serving HTTP not HTTPS).

The idea of HTTPS_ALLOW_TERMINATION_FROM is to force Hydra into HTTP mode as it expects the LB or API Gateway to handle TLS Termination: https://en.wikipedia.org/wiki/TLS_termination_proxy


#3

Thanks for the response.
This error is because LB is sending HTTP request but hydra is expecting HTTPS. As per my understanding we have two options to resolve this, first one being forcing hydra to run in HTTP using –dangerous-force-http, If LB has proper certificates, will it be fine to force HTTP in production ? and second option is using HTTPS_ALLOW_TERMINATION_FROM for which I think I have to set IP address of every client who wants to connect with hydra.

If there is any other options please let me know and also which of the above do you recommend.


#4

If you have set HTTPS_ALLOW_TERMINATION_FROM and it’s not working it’s likely due to a misconfiguration. Can you please share your full config file / env vars?


#5

Hi, I am setting IP as an env var

name: HTTPS_ALLOW_TERMINATION_FROM
value: 106.51.x.x/32

But getting error

level=warning msg=“Could not serve http connection” error=“Remote address 10.12.x.x does not match cidr ranges [106.51.x.x/32]”

I believe hydra is not picking up the address from where request originated but the last redirected address before hitting the server.


#6

Hi @arekkas, I have added OAUTH2_ISSUER_URL, HTTPS_ALLOW_TERMINATION_FROM, DATABASE_URL, OAUTH2_CONSENT_URL, OAUTH2_LOGIN_URL, OAUTH2_ERROR_URL and SYSTEM_SECRET as ENV VARs.
Any help would be much appreciated.