Dashboard and Tyk SSL


#1

Hello,
We’re having problems setting up SSL in on of our environments. Everything seems to work ok, but when we click on ‘+ADD KEY’ from the dashboard, we are seeing error messages in the logs:

Dash Log

time="Feb 22 20:36:31" level=error msg="Failed to unmarshal error: invalid character '<' looking for beginning of value"

Tyk Log

2019/02/22 20:36:31 http: TLS handshake error from 10.66.11.24:43878: tls: first record does not look like a TLS handshake

tyk.conf

{
  "listen_port": 8080,
  "proxy_ssl_insecure_skip_verify": true,
  "node_secret": "",
  "secret": "",
  "template_path": "/opt/tyk-gateway/templates",
  "tyk_js_path": "/opt/tyk-gateway/js/tyk.js",
  "use_db_app_configs": true,
  "db_app_conf_options": {
        "connection_string": "https://gate202-sheriff-dash.dev.lgscout.com",
        "node_is_segmented": false,
        "tags": []
  },
  "disable_dashboard_zeroconf": false,
  "app_path": "/opt/tyk-gateway/apps",
  "middleware_path": "/opt/tyk-gateway/middleware",
  "storage": {
    "type": "redis",
    "host": "gate202-sheriff-redis",
    "port": 6379,
    "username": "",
    "password": "",
    "database": 0,
    "optimisation_max_idle": 2000,
    "optimisation_max_active": 4000
  },
  "enable_analytics": true,
  "analytics_config": {
    "type": "mongo",
    "pool_size": 100,
    "csv_dir": "/tmp",
    "mongo_url": "",
    "mongo_db_name": "",
    "mongo_collection": "",
    "purge_delay": 100,
    "ignored_ips": [],
    "enable_detailed_recording": false,
    "enable_geo_ip": false,
    "geo_ip_db_path": "",
    "normalise_urls": {
          "enabled": true,
          "normalise_uuids": true,
          "normalise_numbers": true,
          "custom_patterns": []
      }
  },
  "health_check": {
    "enable_health_checks": true,
    "health_check_value_timeouts": 60
  },
  "optimisations_use_async_session_write": true,
  "allow_master_keys": false,
  "policies": {
    "policy_source": "service",
    "policy_connection_string": "https://gate202-sheriff-dash.dev.lgscout.com",
    "allow_explicit_policy_id": true
  },
  "hash_keys": true,
  "suppress_redis_signal_reload": false,
  "use_redis_log": true,
  "close_connections": false,
  "enable_non_transactional_rate_limiter": true,
  "enable_sentinel_rate_limiter": false,
  "enforce_org_quotas": true,
  "experimental_process_org_off_thread": true,
  "local_session_cache": {
    "disable_cached_session_state": false
  },
  "http_server_options": {
    "use_ssl": true,
    "server_name": "lgscout.com",
    "min_version": 771,
    "certificates": [
      {
        "domain_name": "*.lgscout.com",
        "cert_file": "/etc/ssl/tyk/tyk-sheriff.pem",
        "key_file": "/etc/ssl/tyk/tyk-sheriff.key"
      }
    ],
    "ssl_insecure_skip_verify": true
  },
  "uptime_tests": {
    "disable": false,
    "config": {
      "enable_uptime_analytics": true,
      "failure_trigger_sample_size": 2,
      "time_wait": 10,
      "checker_pool_size": 50
    }
  },
  "hostname": "",
  "enable_custom_domains": true,
  "enable_jsvm": true,
  "oauth_redirect_uri_separator": ";",
  "coprocess_options": {
    "enable_coprocess": false,
    "coprocess_grpc_server": ""
  },
  "pid_file_location": "./tyk-gateway.pid",
  "allow_insecure_configs": false,
  "public_key_path": "/opt/tyk-gateway/.ssh/tyk_public.pem",
  "close_idle_connections": false,
  "allow_remote_config": false,
  "enable_bundle_downloader": true,
  "bundle_base_url": "",
  "global_session_lifetime": 100,
  "force_global_session_lifetime": false,
  "max_idle_connections_per_host": 100
}

tyk_analytics.conf

{
  "listen_port": 443,
  "tyk_api_config": {
    "Host": "http://gate202-sheriff-proxy",
    "Port": "8080",
    "Secret": ""
  },
  "mongo_url": "mongodb://tyk:[email protected]/tyk_analytics",
  "mongo_use_ssl": false,
  "mongo_ssl_insecure_skip_verify": false,
  "page_size": 50,
  "admin_secret": "",
  "shared_node_secret": "",
  "redis_port": 6379,
  "redis_host": "gate202-sheriff-redis",
  "redis_password": "ajcGPCUbvWUHZXi3",
  "enable_cluster": false,
  "force_api_defaults": false,
  "notify_on_change": true,
  "license_key": "",
  "redis_database": 0,
  "redis_hosts": null,
  "hash_keys": true,
  "email_backend": {
    "enable_email_notifications": false,
    "code": "",
    "settings": null,
    "default_from_email": "",
    "default_from_name": "",
    "dashboard_hostname": ""
  },
  "hide_listen_path": false,
  "sentry_code": "",
  "sentry_js_code": "",
  "use_sentry": false,
  "enable_master_keys": false,
  "enable_duplicate_slugs": true,
  "show_org_id": true,
  "host_config": {
    "enable_host_names": true,
    "disable_org_slug_prefix": true,
    "hostname": "10.66.11.23",
    "override_hostname": "gate202-sheriff-dash",
    "portal_domains": {},
    "portal_root_path": "/portal",
    "generate_secure_paths": false,
    "secure_cookies": false,
    "use_strict_hostmatch": false
  },
  "http_server_options": {
    "use_ssl": true,
    "server_name": "lgscout.com",
    "min_version": 771,
    "certificates": [
      {
        "domain_name": "*.lgscout.com",
        "cert_file": "/etc/ssl/tyk/tyk-sheriff.pem",
        "key_file": "/etc/ssl/tyk/tyk-sheriff.key"
      }
    ]
  },

  "security": {
    "login_failure_username_limit": 0,
    "login_failure_ip_limit": 0,
    "login_failure_expiration": 0,
    "audit_log_path": ""
  },
  "ui": {
    "languages": {
      "Chinese": "cn",
      "English": "en",
      "Korean": "ko"
    },
    "hide_help": false,
    "default_lang": "en",
    "login_page": {},
    "nav": {},
    "uptime": {},
    "portal_section": null,
    "designer": {},
    "dont_show_admin_sockets": false,
    "dont_allow_license_management": false,
    "dont_allow_license_management_view": false
  },
  "home_dir": "/opt/tyk-dashboard",
  "identity_broker": {
    "enabled": false,
    "host": {
      "connection_string": "http://localhost:3010",
      "secret": ""
    }
  },
  "tagging_options": {
    "tag_all_apis_by_org": false
  },
  "use_sharded_analytics": false,
  "enable_aggregate_lookups": true,
  "enable_analytics_cache": false,
  "aggregate_lookup_cutoff": "01/07/2016",
  "maintenance_mode": false,
  "allow_explicit_policy_id": false,
  "private_key_path": "/opt/tyk-dashboard/.ssh/tyk_private.pem",
  "node_schema_path": "",
  "oauth_redirect_uri_separator": ";",
  "statsd_connection_string": "",
  "statsd_prefix": "",
  "disable_parallel_sessions": false,
  "dashboard_session_lifetime": 0
}

#2

You are trying to access the gateway with HTTP instead of HTTPS. In the tyk.conf, you have use_ssl:true but in tyk_analytics.conf, you set the value of tyk_api_config.Host to "http://gate202-sheriff-proxy". Can you try changing it to "https://gate202-sheriff-proxy"?


#3

Thank you, this was helpful. I actually don’t want to use SSL between the Gateway and the Dashboard. Only with the Dashboard and the outside world. So I removed the HTTPS stuff from tyk.conf and am running the gateway in http (non-tls)