so really nothing changed since the last post about proxies. the configuration held together and we practiced our shrugs.

UNTIL

ahmed came in with this insane piece of genious:

load_module /usr/lib64/nginx/modules/ngx_stream_module.so;
error_log stderr notice;

worker_processes auto;
events {
 multi_accept on;
 use epoll;
 worker_connections 1024;
}

stream {
       upstream kub.com {
           least_conn;
{% for item in groups['kube-master'] %}
        server {{ hostvars[item]['ansible_host'] }}:6443;
{% endfor %}
       }
        server {
            listen        0.0.0.0:443;
            proxy_pass    kub.com;
            proxy_timeout 10m;
            proxy_connect_timeout 1s;

        }
}

after walking off all ‘psshhhh you can put whatever listener you want on port 443, if there’s no certs in the config, it’s not encrypted, so what’s the point?’, ahmed made me take a better look at the code…

what in the facking what is that?

what the crack is a stream? i know enginicks right?

soooo what i’m sort of getting to grips with is that this is effectively a pass-through tunnel that doesn’t do any ssl negotiation - that’s all handled by the api server. it’s neat. it werks. i need 2 read about it more.

some quirks:

not all nginx versions come with the module compiled. luckily, the nginx binary served by our centos distro has the module enabled. UNluckily, stream doesn’t have any logging capabilities without the ngx_stream_log_module (which our gnginx binary decidedly does not have :( )

i’ve found the c code but i reeeeeeeeeally don’t want to comile my own version of nginx just to have some sort of logging and anyway wtv this is stupid we should be using an ingress wtf :/

related:

• 2018-01-22 - proxxxies 4 k8s api access
• 2018-01-17 - dhcp hell
• 2018-01-31 - bandit wargames
• 2018-01-03 - bash loop 2 rename files using index