You can reissue the certs to include an IP SAN for the host’s IP - at the moment it fails as a protection against MITM unless the IP is explicitly stated in the ip SAN it doesn’t meet the spec for a valid SSL cert.
Sound like it would work but for me is not a possibility because the issuer wont reissue it. Is there a way to mask the IP or perhaps is something to do with routing configs.
How can i possibly achieve this without reissuing the certificate? Also it there a way to debug the connection , because i feel there must be more information i can check apart from the dashboard log error i posted.
So, I was able to accomplish my goal by adding proxy_ssl_insecure_skip_verify to gateway config and adding a transformation replacing the X-FORWARDED-FOR header IP with the correct one.
Adding routes and messing with iptables within my docker container did not work because of TCP handshake protocol
Is this solution ok or am i tempting fate by using the X-FORWARDED-FOR header. I am pretty new Tyk so i don’t fully know the implications of this. The upstream host seemingly uses that for IP identification.