0

My k8s pod is connecting to a certain https target. This target is not reachable from my local machine, so I wanted to use kubectl proxy + socat to make that target available on my local machine für local development.

The problem is that I even cant get socat working and Im very confused why.

First I check connection to target on my pod:

curl -v -k https://target/rest/
Trying 54.136.137.42:443...
* TCP_NODELAY set

[...]

{"message":"key header missing"}

This message is the default response from target when one dont provide authentication information, so everything is ok.

Now I use socat with local port 1234:

socat tcp-listen:1234,reuseaddr,fork tcp:target:443

But when I now try to curl the target, I just get a 404, just as the socat never was started. Should that work? Do I use socat wrongly? Does it has something to do with TLS?

HTTP:

curl -v -k http://localhost:1234/rest/
*   Trying ::1:1234...
* TCP_NODELAY set
* connect to ::1 port 1234 failed: Connection refused
*   Trying 127.0.0.1:1234...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1234 (#0)
> GET /rest/ HTTP/1.1
> Host: localhost:1234
> User-Agent: curl/7.68.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 17 Jul 2023 07:49:05 GMT
< Content-Length: 19
< 404 page not found
* Connection #0 to host localhost left intact

HTTPS:

curl -v -k https://localhost:1234/rest/
*   Trying ::1:1234...
* TCP_NODELAY set
* connect to ::1 port 1234 failed: Connection refused
*   Trying 127.0.0.1:1234...
* TCP_NODELAY set
* Connected to localhost (127.0.0.1) port 1234 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
*  subject: C=DE; ST=NRW; L=Munich; O=AG; CN=digital-int.app.intra.net
*  start date: Dec  2 08:20:52 2021 GMT
*  expire date: Dec  2 08:20:52 2023 GMT
*  issuer: C=DE; O=AG; CN=Corp-Issuing-CA01-G2
*  SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x5997a85d52f0)
> GET /rest/ HTTP/2
> Host: localhost:1234
> user-agent: curl/7.68.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 404
< content-type: text/plain; charset=utf-8
< x-content-type-options: nosniff
< content-length: 19
< date: Mon, 17 Jul 2023 11:40:36 GMT
<
404 page not found
* Connection #0 to host localhost left intact
dontspeak
  • 3
  • 2
  • The last curl has `http://` instead of `https://`. – AlexD Jul 17 '23 at 10:05
  • I tried it already before, basically its the same, a 404 is returned. `curl -v -k https://localhost:1234/rest/ * Trying ::1:1234... * TCP_NODELAY set [...] * TLSv1.3 (IN), TLS handshake, Newsession Ticket (4): * Connection state changed (MAX_CONCURRENT_STREAMS == 250)! < HTTP/2 404 < content-type: text/plain; charset=utf-8 < x-content-type-options: nosniff < content-length: 19 < date: Mon, 17 Jul 2023 10:15:03 GMT < 404 page not found * Connection #0 to host localhost left intact` – dontspeak Jul 17 '23 at 10:19
  • It shows connection to IPv6 `::1:1234` while your `socat` listens on IPv4 `127.0.0.1:1234` – AlexD Jul 17 '23 at 10:23
  • thats also not the root cause, curl just tries ipv6 first, then ipv4, see above curl output – dontspeak Jul 17 '23 at 10:56
  • The `curl` output you posted as a comment doesn't show a connection to `127.0.0.1`. Update your question with the proper output without random editing. – AlexD Jul 17 '23 at 11:01
  • I removed parts because the output was way to long for a comment, I will update the question with the https curl – dontspeak Jul 17 '23 at 11:39

1 Answers1

0

It looks like socat is working as intended. You are getting 404 because the request sent to the target contains Host: localhost:1234. You need to modify your curl command as the following:

curl -v -k https://target/rest/ --connect-to target:443:127.0.0.1:1234

AlexD
  • 8,747
  • 2
  • 29
  • 38
  • Well this call works (thx so far) but tbh now I'm totally confused. My aim is to locally be able to call a service running under `https://target/rest`. `https://target/rest` is only accessible from the pod, and *not accessible* from my local laptop. So after having that service available on the pod at `localhost:1234`, on my laptop I wanted to start `kubectl port-forward podname 1234:5678` to finally be able to call the service on my laptop via `https://localhost:5678`. I hope I have explained that now well. – dontspeak Jul 17 '23 at 14:16
  • You can override the hostname for `target` to `127.0.0.1` permanently in the `/etc/hosts`. – AlexD Jul 17 '23 at 14:26
  • actually I got it working now by setting the host via -H. I can do the same accordingly in Postman or my http class in java code. The wrong "Host: localhost:1234" http header actually was the reason. Thank you so much! – dontspeak Jul 17 '23 at 14:30