Secure service using SSL on EnRoute Standalone Gateway

Secure service using SSL on EnRoute Standalone Gateway

January 21, 2021

EnRoute Universal Gateway

EnRoute Universal Gateway is a flexible API gateway built to support traditional and cloud-native use cases. It is designed to run either as an Kubernetes Ingress Gateway, Standalone Gateway, Horizontally scaling L7 API gateway or a Mesh of Gateways. EnRoute can support a wide range of topologies. Depending on the need of the user, the environment, the application, either one or many of these solutions can be deployed. EnRoute also supports plugins/filters to extend functionality and enforce policies. The features page lists the available plugins for the Gateway. More details about each of the plugin can also be found on plugin pages.

A consistent policy framework across all these network components makes the EnRoute Universal Gateway a versatile and powerful solution.

This article covers how to get started with the EnRoute Standalone Gateway.

What this article covers.

Setting up EnRoute gateway is shown in four simple steps. This is the second step where a SSL certificate is attached to a service object to terminate SSL traffic.

Create SSL Certificate

We use python to create a listening server that will respond to requests used in this example.

    openssl req -new -newkey rsa:2048 -days 36500 -nodes -x509 \
        -subj "/C=US/ST=Denial/L=Springfield/O=Dis/CN=enroute.local" \
        -keyout enroute.local.key -out enroute.local.cert

You can inspect the certificate

    openssl x509 -in enroute.local.cert -text -noout

Create secret

The secret object holds the created key and certificate. A secret object can be associated with a service object.

Create the secret object

curl -s -X POST localhost:1323/secret -d "Secret_Name"="enroute_secret"

Populate the key in the secret object with the key created in earlier step

curl -s -X POST localhost:1323/secret/enroute_secret/key -F Secret_key=@enroute.local.key

Populate the cert in the secret object with the cert created in earlier step

curl -s -X POST localhost:1323/secret/enroute_secret/cert -F Secret_cert=@enroute.local.cert

Show secret object

curl -s localhost:1323/secret
{
  "data": {
    "saaras_db_secret": [
      {
        "secret_name": "enroute_secret",
        "secret_key": "-----BEGIN PRIVATE KEY-----\nMIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQCzYQxOQ52N47Ls\nUaTY11OrM5LrTwchE9R2DHXjGMYM3nI7j8cAOQP+S1/9nZXqBSa5PH0rt0AZFMj3\nhoZb6TZJpuguaVTEc80NL+peFeKAwxx7Em1vQz38QRfmxL0TIkCG4rKeGCmVeoLq\nBCLasWhzNYUh0lXBCWP6tRSEddV/6dcGvI3mkriKcKkFzkCXt1fkKogQy8/69Ees\n6AI2l5HpUw+opvLDoyHi7/Nw0ElZQZ2e7T763LqBk6dsX16v1MSI4CFJLo8EPcJu\ndnOTOSnnX5chGDV4qGG/AcWIyLhMWiKllywJAys3/GL1xCTJmfREnpGExVfhpRgk\ny8M6pZpvAgMBAAECggEAUbcRIwocWQn0dUFQJlQZUnFhKX7L0Z6197z/ax/bAPvI\n8Cc0UX6nug1eQiuqonwMQvAyWVrWgVZ9on0O8gnQaEb3mET1j7TtIWfFjWzMzTmU\n3N/tKHVqZGLG36KaO4AsAwZ8thZtwyGXR8Hwms2ctncYGes2k4SSniAlo54GT4lT\nv8/jIZjnYfo49c4vjwCUlaQR2gPJpXinJFuGw0ubM6/nljEpWnQP+NnxBRcg9qI/\ndg5GJrO3e8FGwN/wTkT4P2ARMhrsFM6annzXupol2jJ4+uApMLH76ACx6Zs1IyFe\nihii6ddaBNepSr7n7Tw8qk6SXizIwE8t3G5TDP4C4QKBgQDuw9UomdmeTi0XASay\n6033f3ns6S0xxgW3WdrCGa8Pu46QufjC1jf77zzU3JVELlqaoNJWg4juGtv9lhKC\nMexPU05kOyh2a0pjs2gaUCdQimhceV89rskkR5P4ZxC7sWt921te3+xGSJyXP9L5\nfIfcj2PDSfydHEXcZEpuPAsYcQKBgQDAU9EEGbYeXpVmaBhPAeR0MMopy6Qb15n3\n4/fl8Sx3ys4dSC1zC6ZPgY2QInEkyxyabdzKZQNDNZYFLKI9Iuj+XlKQLnYQXjUi\niyUR6oB8TFG+MqZeYOGGP9VeQdseq36MaGtqxPfSCww5jNU32nNBF/3x0S81FuJq\n36xFNthQ3wKBgBnmSkgGMFH4vvFg4ZbE6YcwX8RwIsPkbBhQeedWK+Qz/yn50l8o\nJ5h/ggTBDLwBnzhou4hA6miRp01hqw5OZgjQy48Zz7DQwJgCDQfVq/4TlXB6hfdF\n73GtBgMLAwipHTTgx4+KELIrDDln5fXEKWSmdTbo3qsYNwfKJTzB7J4xAoGBAJR1\n3sl4g3GL9212exU507yxEM0UihiH5C1LR0ezVG0gGtzVo2fEHVwQGFOjko0hUHIQ\nzjdZpBwUWDqkSpRAx3PbIYZ0puRZpFCG8lWTHB1W2F6mQHBn/o6f5bd9xIQ3Q1dl\nH03qv5Xeu1ANW2Vi9kbQG1G39OXZRWvUPumqvW4nAoGBAKs0TMp552/bDY0NNKC4\nrKKGRwdKSnOOmtZ0LEswrg3JZ954xc/34MW0tE075f6sh9f4lyDEEtv2M3kd/XHc\ntgT2E+WptvlYjBJgYvttOHIhUR7q/3moSQT3DXgmarFMIs6vi09yDQ/NRhjpzslp\nbkg3EYj0bFap3zLPztVKdV3M\n-----END PRIVATE KEY-----\n",
        "secret_cert": "-----BEGIN CERTIFICATE-----\nMIIDfTCCAmWgAwIBAgIJAJR+zXbCQrERMA0GCSqGSIb3DQEBCwUAMFQxCzAJBgNV\nBAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwxFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQww\nCgYDVQQKDANEaXMxEDAOBgNVBAMMB2Vucm91dGUwIBcNMjEwMTI1MDUzODI4WhgP\nMjEyMTAxMDEwNTM4MjhaMFQxCzAJBgNVBAYTAlVTMQ8wDQYDVQQIDAZEZW5pYWwx\nFDASBgNVBAcMC1NwcmluZ2ZpZWxkMQwwCgYDVQQKDANEaXMxEDAOBgNVBAMMB2Vu\ncm91dGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCzYQxOQ52N47Ls\nUaTY11OrM5LrTwchE9R2DHXjGMYM3nI7j8cAOQP+S1/9nZXqBSa5PH0rt0AZFMj3\nhoZb6TZJpuguaVTEc80NL+peFeKAwxx7Em1vQz38QRfmxL0TIkCG4rKeGCmVeoLq\nBCLasWhzNYUh0lXBCWP6tRSEddV/6dcGvI3mkriKcKkFzkCXt1fkKogQy8/69Ees\n6AI2l5HpUw+opvLDoyHi7/Nw0ElZQZ2e7T763LqBk6dsX16v1MSI4CFJLo8EPcJu\ndnOTOSnnX5chGDV4qGG/AcWIyLhMWiKllywJAys3/GL1xCTJmfREnpGExVfhpRgk\ny8M6pZpvAgMBAAGjUDBOMB0GA1UdDgQWBBQrbdLP0vEthm7MGWD541CS+V5mDDAf\nBgNVHSMEGDAWgBQrbdLP0vEthm7MGWD541CS+V5mDDAMBgNVHRMEBTADAQH/MA0G\nCSqGSIb3DQEBCwUAA4IBAQBwWXgP6d/bSd7DnPIT39yl8WTpCE9fgZ8/OQ5ALRRO\nWUo63HtUkzKi+SNLgoQij0BRw+wSZaA54o9HP/SPHoNmbSD3kxe9BBo39js3GjV3\nC8sVyXU6a+IY3OhTcESAJIL8WAk5qLxliCook1Bnj7VLWI9KF/tJl8FDQpvejBhS\neP4T6A2b7GLMkZGnVcPF2qH6QF4J/a4mKF4p8tRlFqBVWe3/NQwRRLtUDCheTtBL\neHWdJCm2if0ZYJ9XyvDpNR875PgXShAHJswluA3CWVXGOm57IXtILO0HIYR4LVKf\nnVgXkk/lLgjFl4mRUUnIakB76JTOgDC/dNhDDwKbg0MZ\n-----END CERTIFICATE-----\n",
        "secret_sni": "",
        "create_ts": "2021-01-25T05:38:46.61474+00:00",
        "update_ts": "2021-01-25T05:40:27.931632+00:00"
      }
    ]
  }
}

Attach the secret to the service

Note that the service demo was created in the first step when EnRoute standalone gateway was setup.

curl -s -X POST localhost:1323/service/demo/secret/enroute_secret
Update fqdn on service
curl -X PATCH "http://localhost:1323/service/demo" -d 'fqdn=enroute.local'
Dump service
curl -s localhost:1323/service/dump/demo
Send traffic

Send a request to the listener

curl -k -vvv https://enroute.local:8443 --resolve enroute.local:8443:127.0.0.1
Check envoy stats
curl -k -vvv http://localhost:9001/stats

Next steps

EnRoute standalone gateway provides simple APIs to configure Envoy proxy. Additionally you can -