Tyk OSS Gateway SSL & Deployment

Hello,

I am working on setting up Tyk open source gateway as an API Gateway to front a collection of services.

I am struggling to understand how to get certs & SSL set up correctly and I have a few questions around this.

First of all, my current set up involves configuring Tyk values to create a Kubernetes service with an AWS load balancer sitting in front of it. I configured the service with a selection of annotations including the following: service.beta.kubernetes.io/aws-load-balancer-backend-protocol=TCP . I then set tls=false in my Tyk values. With this set up, as I understand it, the load balancer will terminate SSL and forward the request to the Tyk service unencrypted.

I then registered an API with Tyk. “https://example.com” as the target URL. Currently, when I try to send a request to the registered API, I get the error:

{
	"error": "There was a problem proxying the request"

}

And I see in the logs:

time="Jan 24 00:20:21" level=error msg="http: proxy error: x509: certificate signed by unknown authority" api_id=b46d900f-253b-4ef0-83b0-5865ea6a9fd0 api_name="My API" mw=ReverseProxy org_id=1 prefix=proxy server_name=example.com user_id=-- user_ip=xxxxx user_name=

I am a little confused what the right set up is to get requests proxied encrypted to my APIs behind the gateway. Should I instead not be terminating SSL at the LB level?

I have copied the Tyk Gateway Helm Chart into my own repo, so that I can add my own certs signed by a proper authority. Is there a way that I can use the chart from here: tyk-helm-chart/tyk-headless at master · TykTechnologies/tyk-helm-chart · GitHub and have my own certs without doing the copy paste into my own repo ? I have no other customizations currently that I want to make, but this was what the documentation seemed to be instructing . Or should I just be modifying tyk env variable for pointing at certs files, and mounting them my own way ?

I know this post has a few different questions and confusions but any guidance would be greatly appreciated. Thank you !

Hi and welcome to the community :tada: @munroanna,

The log message you shared indicates that the Tyk Gateway does not trust the certificate on https://example.com.

Although, when I test in my local environment, with the standard Gateway image, I don’t get the error you’re getting - the request is proxied successfully - so I assume example.com is using a properly signed certificate. A quick inspection of the certificate using my browser agrees with this assumption - example.com is using a certificate issued by Digicert, and Digicert is generally a trusted Certificate Authority.

Have you somehow modified the Trust Store of your Gateway container?

For cases where a target upstream is using a self-signed or untrusted certificate, setting ssl_insecure_skip_verify:true in the proxy.transport section of the API definition gets past this error.

"proxy": {
      "target_url": "https://example.com/",
       ....
      "transport": {
        "ssl_insecure_skip_verify": true,
        ...
      },
      ...
    }

Are you able to set this and try again?

The encryption state (encrypted or unencrypted) of requests between the Tyk Gateway and targets behind it would depend on how you have configured the target url in the API definition.
A target url of http://example.com would be unencrypted while https://example.com would be encrypted, and you don’t need a certificate on the Gateway itself for either.

Adding a certificate to your Gateway will only be relevant for the communication between your Load Balancer and Tyk. It would allow you to set service.beta.kubernetes.io/aws-load-balancer-backend-protocol=SSL

1 Like