From 80412d6c965dbacb7a739123cbf4c175083d556b Mon Sep 17 00:00:00 2001 From: Sarthak Agrawal Date: Fri, 9 Aug 2024 14:58:09 -0600 Subject: [PATCH 1/8] Add guide for TLS Route in site Problem: Site did not have a guide for TLS Route Solution: I wrote a guide for it. --- .../tls-passthrough-routing.md | 194 ++++++++++++++++++ 1 file changed, 194 insertions(+) create mode 100644 site/content/how-to/traffic-management/tls-passthrough-routing.md diff --git a/site/content/how-to/traffic-management/tls-passthrough-routing.md b/site/content/how-to/traffic-management/tls-passthrough-routing.md new file mode 100644 index 0000000000..1f24569057 --- /dev/null +++ b/site/content/how-to/traffic-management/tls-passthrough-routing.md @@ -0,0 +1,194 @@ +--- +title: "TLS Passthrough" +weight: 600 +toc: true +docs: "DOCS-1421" +--- + +Learn how to passthrough TLS connection using NGINX Gateway Fabric. + +## Overview + +In this guide, we will show how to configure TLS passthrough for your application, using a [TLSRoute](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1alpha2.TLSRoute). + +## Before you begin + +- [Install]({{< relref "installation/" >}}) NGINX Gateway Fabric. +- Save the public IP address and port of NGINX Gateway Fabric into shell variables: + + ```text + GW_IP=XXX.YYY.ZZZ.III + GW_PORT= + ``` + + Save the ports of NGINX Gateway Fabric: + + ```text + GW_HTTP_PORT= + GW_HTTPS_PORT= + ``` + +{{< note >}}In a production environment, you should have a DNS record for the external IP address that is exposed, and it should refer to the hostname that the gateway will forward for.{{< /note >}} + +Create the tls-backend application by copying and pasting the following block into your terminal: + +```yaml +kubectl apply -f - < 8443/TCP 12s +``` + +Next, let's create a gateway. This will create TLS listener with the hostname *.example.com. Copy paste this into your terminal. + +```yaml +kubectl apply -f - <}}If you have a DNS record allocated for `cafe.example.com`, you can send the request directly to that hostname, without needing to resolve.{{< /note >}} + +To test that NGINX sends an HTTPS redirect, we will send requests to the `secure-app` service on the HTTPS port. + +```shell +curl --resolve cafe.example.com:$GW_PORT:$GW_IP https://cafe.example.com:$GW_PORT --insecure +``` + +```text +hello from pod secure-app-575785644-kzqf6 +``` From b7f5e6d95962b23a7695fad31ee112c3381161ee Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Tue, 13 Aug 2024 15:20:07 -0600 Subject: [PATCH 2/8] rename file --- .../{tls-passthrough-routing.md => tls-passthrough.md} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename site/content/how-to/traffic-management/{tls-passthrough-routing.md => tls-passthrough.md} (100%) diff --git a/site/content/how-to/traffic-management/tls-passthrough-routing.md b/site/content/how-to/traffic-management/tls-passthrough.md similarity index 100% rename from site/content/how-to/traffic-management/tls-passthrough-routing.md rename to site/content/how-to/traffic-management/tls-passthrough.md From 4e07628f51dea3443423aa78a01fcf5393951378 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Tue, 13 Aug 2024 15:20:32 -0600 Subject: [PATCH 3/8] Correct docs number --- site/content/how-to/traffic-management/tls-passthrough.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/how-to/traffic-management/tls-passthrough.md b/site/content/how-to/traffic-management/tls-passthrough.md index 1f24569057..0375185d38 100644 --- a/site/content/how-to/traffic-management/tls-passthrough.md +++ b/site/content/how-to/traffic-management/tls-passthrough.md @@ -2,7 +2,7 @@ title: "TLS Passthrough" weight: 600 toc: true -docs: "DOCS-1421" +docs: "DOCS-000" --- Learn how to passthrough TLS connection using NGINX Gateway Fabric. From 5b0a4d3e806eb915bf276347a1cd73f86ca17faa Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Tue, 13 Aug 2024 15:23:57 -0600 Subject: [PATCH 4/8] Doc fixes --- .../how-to/traffic-management/tls-passthrough.md | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/site/content/how-to/traffic-management/tls-passthrough.md b/site/content/how-to/traffic-management/tls-passthrough.md index 0375185d38..43640ca35a 100644 --- a/site/content/how-to/traffic-management/tls-passthrough.md +++ b/site/content/how-to/traffic-management/tls-passthrough.md @@ -5,7 +5,7 @@ toc: true docs: "DOCS-000" --- -Learn how to passthrough TLS connection using NGINX Gateway Fabric. +Learn how to passthrough TLS connections using NGINX Gateway Fabric. ## Overview @@ -118,7 +118,7 @@ This will create the **secure-app** service and a deployment. Run the following kubectl get pods,svc ``` -Your output should include the **secure-app** pod and the **secure-app** service: +The output should include the **secure-app** pod and the **secure-app** service: ```text NAME READY STATUS RESTARTS AGE @@ -128,7 +128,7 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/secure-app ClusterIP 192.168.194.152 8443/TCP 12s ``` -Next, let's create a gateway. This will create TLS listener with the hostname *.example.com. Copy paste this into your terminal. +Create a gateway. This will create TLS listener with the hostname *.example.com. Copy paste this into your terminal. ```yaml kubectl apply -f - <}}If you have a DNS record allocated for `cafe.example.com`, you can send the request directly to that hostname, without needing to resolve.{{< /note >}} -To test that NGINX sends an HTTPS redirect, we will send requests to the `secure-app` service on the HTTPS port. +Send a request to the `secure-app` service on the HTTPS port with the `--insecure` flag. The `--insecure` flag is required because the `secure-app` is using self-signed certificates. ```shell curl --resolve cafe.example.com:$GW_PORT:$GW_IP https://cafe.example.com:$GW_PORT --insecure From ef18ddfa95dc20b451ac9203809c478fa1eb8ce2 Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Wed, 14 Aug 2024 15:25:25 -0600 Subject: [PATCH 5/8] Add more detail to guide and update compatibility doc --- .../traffic-management/tls-passthrough.md | 77 ++++++++++++++----- .../overview/gateway-api-compatibility.md | 58 ++++++++++---- site/go.mod | 2 +- site/go.sum | 2 + 4 files changed, 104 insertions(+), 35 deletions(-) diff --git a/site/content/how-to/traffic-management/tls-passthrough.md b/site/content/how-to/traffic-management/tls-passthrough.md index 43640ca35a..b23905624c 100644 --- a/site/content/how-to/traffic-management/tls-passthrough.md +++ b/site/content/how-to/traffic-management/tls-passthrough.md @@ -1,11 +1,11 @@ --- title: "TLS Passthrough" -weight: 600 +weight: 800 toc: true docs: "DOCS-000" --- -Learn how to passthrough TLS connections using NGINX Gateway Fabric. +Learn how to use TLSRoutes to configure TLS Passthrough load-balancing with NGINX Gateway Fabric. ## Overview @@ -18,19 +18,14 @@ In this guide, we will show how to configure TLS passthrough for your applicatio ```text GW_IP=XXX.YYY.ZZZ.III - GW_PORT= - ``` - - Save the ports of NGINX Gateway Fabric: - - ```text - GW_HTTP_PORT= - GW_HTTPS_PORT= + GW_TLS_PORT= ``` {{< note >}}In a production environment, you should have a DNS record for the external IP address that is exposed, and it should refer to the hostname that the gateway will forward for.{{< /note >}} -Create the tls-backend application by copying and pasting the following block into your terminal: +## Set up + +Create the `secure-app` application by copying and pasting the following block into your terminal: ```yaml kubectl apply -f - < 8443/TCP 12s ``` -Create a gateway. This will create TLS listener with the hostname *.example.com. Copy paste this into your terminal. +Create a gateway. This will create a TLS listener with the hostname `*.example.com` and a TLS mode of passthrough. Copy and paste this into your terminal. ```yaml kubectl apply -f - <}} It is possible to add an HTTPS listener on the same port that terminates TLS connections so long as the hostname does not overlap with the TLS listener hostname. {{< /note >}} + +Create a TLSRoute that attaches to the gateway and routes requests to `app.example.com` to the `secure-app` service: ```yaml kubectl apply -f - <}}To route to a service in a namespace different from the TLSRoute namespace, create a [ReferenceGrant](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.ReferenceGrant) to permit the cross-namespace reference. {{< /note >}} + ## Send traffic -Using the external IP address and port for NGINX Gateway Fabric, send traffic to the coffee application. +Using the external IP address and port for NGINX Gateway Fabric, send traffic to the `secure-app` application. -{{< note >}}If you have a DNS record allocated for `cafe.example.com`, you can send the request directly to that hostname, without needing to resolve.{{< /note >}} +{{< note >}}If you have a DNS record allocated for `app.example.com`, you can send the request directly to that hostname, without needing to resolve.{{< /note >}} -Send a request to the `secure-app` service on the HTTPS port with the `--insecure` flag. The `--insecure` flag is required because the `secure-app` is using self-signed certificates. +Send a request to the `secure-app` service on the TLS port with the `--insecure` flag. The `--insecure` flag is required because the `secure-app` is using self-signed certificates. ```shell -curl --resolve cafe.example.com:$GW_PORT:$GW_IP https://cafe.example.com:$GW_PORT --insecure +curl --resolve app.example.com:$GW_TLS_PORT:$GW_IP https://app.example.com:$GW_TLS_PORT --insecure -v ``` ```text +Added app.example.com:8443:127.0.0.1 to DNS cache +* Hostname app.example.com was found in DNS cache +* Trying 127.0.0.1:8443... +* Connected to app.example.com (127.0.0.1) port 8443 +* ALPN: curl offers h2,http/1.1 +* (304) (OUT), TLS handshake, Client hello (1): +* (304) (IN), TLS handshake, Server hello (2): +* (304) (IN), TLS handshake, Unknown (8): +* (304) (IN), TLS handshake, Certificate (11): +* (304) (IN), TLS handshake, CERT verify (15): +* (304) (IN), TLS handshake, Finished (20): +* (304) (OUT), TLS handshake, Finished (20): +* SSL connection using TLSv1.3 / AEAD-AES256-GCM-SHA384 / [blank] / UNDEF +* ALPN: server accepted http/1.1 +* Server certificate: +* subject: C=US; ST=CA; L=San Francisco; CN=app.example.com +* start date: Mar 23 23:20:43 2020 GMT +* expire date: Mar 23 23:20:43 2023 GMT +* issuer: C=US; ST=CA; L=San Francisco; CN=app.example.com +* SSL certificate verify result: self signed certificate (18), continuing anyway. +* using HTTP/1.x +> GET / HTTP/1.1 +> Host: app.example.com:8443 +> User-Agent: curl/8.6.0 +> Accept: */* +> +< HTTP/1.1 200 OK +< Server: nginx/1.27.0 +< Date: Wed, 14 Aug 2024 20:41:21 GMT +< Content-Type: text/plain +< Content-Length: 43 +< Connection: keep-alive +< hello from pod secure-app-575785644-kzqf6 ``` + +Note that the server certificate used to terminate the TLS connection has the subject common name of `app.example.com`. This is the server certificate that the `secure-app` is configured with and shows that the TLS connection was terminated by the `secure-app`, not NGINX Gateway Fabric. diff --git a/site/content/overview/gateway-api-compatibility.md b/site/content/overview/gateway-api-compatibility.md index c2094de2ae..e7405e5a47 100644 --- a/site/content/overview/gateway-api-compatibility.md +++ b/site/content/overview/gateway-api-compatibility.md @@ -10,18 +10,18 @@ Learn which Gateway API resources NGINX Gateway Fabric supports and to which lev ## Summary {{< bootstrap-table "table table-striped table-bordered" >}} -| Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | -| ------------------------------------- | ------------------- | ---------------------- | ------------------------------------- | ----------- | -| [GatewayClass](#gatewayclass) | Supported | Not supported | Supported | v1 | -| [Gateway](#gateway) | Supported | Partially supported | Not supported | v1 | -| [HTTPRoute](#httproute) | Supported | Partially supported | Not supported | v1 | -| [ReferenceGrant](#referencegrant) | Supported | N/A | Not supported | v1beta1 | -| [GRPCRoute](#grpcroute) | Supported | Partially supported | Not supported | v1 | -| [TLSRoute](#tlsroute) | Not supported | Not supported | Not supported | N/A | -| [TCPRoute](#tcproute) | Not supported | Not supported | Not supported | N/A | -| [UDPRoute](#udproute) | Not supported | Not supported | Not supported | N/A | -| [BackendTLSPolicy](#backendtlspolicy) | Supported | Supported | Not supported | v1alpha3 | -| [Custom policies](#custom-policies) | N/A | N/A | Supported | N/A | +| Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | +|---------------------------------------|--------------------|------------------------|---------------------------------------|-------------| +| [GatewayClass](#gatewayclass) | Supported | Not supported | Supported | v1 | +| [Gateway](#gateway) | Supported | Partially supported | Not supported | v1 | +| [HTTPRoute](#httproute) | Supported | Partially supported | Not supported | v1 | +| [ReferenceGrant](#referencegrant) | Supported | N/A | Not supported | v1beta1 | +| [GRPCRoute](#grpcroute) | Supported | Partially supported | Not supported | v1 | +| [TLSRoute](#tlsroute) | Supported | Not supported | Not supported | v1alpha2 | +| [TCPRoute](#tcproute) | Not supported | Not supported | Not supported | N/A | +| [UDPRoute](#udproute) | Not supported | Not supported | Not supported | N/A | +| [BackendTLSPolicy](#backendtlspolicy) | Supported | Supported | Not supported | v1alpha3 | +| [Custom policies](#custom-policies) | N/A | N/A | Supported | N/A | {{< /bootstrap-table >}} --- @@ -123,6 +123,7 @@ See the [static-mode]({{< relref "/reference/cli-help.md#static-mode">}}) comman - `Accepted/False/UnsupportedProtocol` - `Accepted/False/InvalidCertificateRef` - `Accepted/False/ProtocolConflict` + - `Accpeted/False/HostnameConflict` - `Accepted/False/UnsupportedValue`: Custom reason for when a value of a field in a Listener is invalid or not supported. - `Accepted/False/GatewayConflict`: Custom reason for when the Gateway is ignored due to a conflicting Gateway. NGINX Gateway Fabric only supports a single Gateway. - `Programmed/True/Programmed` @@ -131,6 +132,7 @@ See the [static-mode]({{< relref "/reference/cli-help.md#static-mode">}}) comman - `ResolvedRefs/False/InvalidCertificateRef` - `ResolvedRefs/False/InvalidRouteKinds` - `Conflicted/True/ProtocolConflict` + - `Conflicted/True/HostnameConflict` - `Conflicted/False/NoConflicts` --- @@ -255,10 +257,38 @@ Fields: {{< bootstrap-table "table table-striped table-bordered" >}} | Resource | Core Support Level | Extended Support Level | Implementation-Specific Support Level | API Version | -| -------- | ------------------ | ---------------------- | ------------------------------------- | ----------- | -| TLSRoute | Not supported | Not supported | Not supported | N/A | +|----------|--------------------|------------------------|---------------------------------------|-------------| +| TLSRoute | Supported | Not supported | Not supported | v1alpha2 | {{< /bootstrap-table >}} +**Fields**: + +- `spec` + - `parentRefs`: Partially supported. Port not supported. + - `hostnames`: Supported. + - `rules` + - `backendRefs`: Partially supported. Only one backend ref allowed. + - `weight`: Not supported. +- `status` + - `parents` + - `parentRef`: Supported. + - `controllerName`: Supported. + - `conditions`: Supported (Condition/Status/Reason): + - `Accepted/True/Accepted` + - `Accepted/False/NoMatchingListenerHostname` + - `Accepted/False/NoMatchingParent` + - `Accepted/False/NotAllowedByListeners` + - `Accepted/False/UnsupportedValue`: Custom reason for when the TLSRoute includes an invalid or unsupported value. + - `Accepted/False/InvalidListener`: Custom reason for when the TLSRoute references an invalid listener. + - `Accepted/False/GatewayNotProgrammed`: Custom reason for when the Gateway is not Programmed. TLSRoute can be valid and configured, but will maintain this status as long as the Gateway is not Programmed. + - `Accepted/False/HostnameConflict`: Custom reason for when the TLSRoute has a hostname that conflicts with another TLSRoute on the same port. + - `ResolvedRefs/True/ResolvedRefs` + - `ResolvedRefs/False/InvalidKind` + - `ResolvedRefs/False/RefNotPermitted` + - `ResolvedRefs/False/BackendNotFound` + - `ResolvedRefs/False/UnsupportedValue`: Custom reason for when one of the TLSRoute rules has a backendRef with an unsupported value. + - `PartiallyInvalid/True/UnsupportedValue` + --- ### TCPRoute diff --git a/site/go.mod b/site/go.mod index 7dd1ab90e6..b745ac77f8 100644 --- a/site/go.mod +++ b/site/go.mod @@ -2,4 +2,4 @@ module github.com/nginxinc/nginx-gateway-fabric/site go 1.21 -require github.com/nginxinc/nginx-hugo-theme v0.41.0 // indirect +require github.com/nginxinc/nginx-hugo-theme v0.41.1 // indirect diff --git a/site/go.sum b/site/go.sum index ea6bf85748..9f3c8112b0 100644 --- a/site/go.sum +++ b/site/go.sum @@ -1,2 +1,4 @@ github.com/nginxinc/nginx-hugo-theme v0.41.0 h1:uB9jC0Qk9i2CG63gScHxVHAEz1zyGoAdtY0Lcpkg1lI= github.com/nginxinc/nginx-hugo-theme v0.41.0/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= +github.com/nginxinc/nginx-hugo-theme v0.41.1 h1:Wan0Mb8uz1X4Z2vd/1nR0GOPel5mWVPuFD3jd4SezsU= +github.com/nginxinc/nginx-hugo-theme v0.41.1/go.mod h1:DPNgSS5QYxkjH/BfH4uPDiTfODqWJ50NKZdorguom8M= From b4689f8083b25edfd2147dd1da258e3468c027cb Mon Sep 17 00:00:00 2001 From: Kate Osborn Date: Thu, 15 Aug 2024 13:05:54 -0600 Subject: [PATCH 6/8] code review --- .../how-to/traffic-management/tls-passthrough.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/site/content/how-to/traffic-management/tls-passthrough.md b/site/content/how-to/traffic-management/tls-passthrough.md index b23905624c..931ea5ea0e 100644 --- a/site/content/how-to/traffic-management/tls-passthrough.md +++ b/site/content/how-to/traffic-management/tls-passthrough.md @@ -21,7 +21,7 @@ In this guide, we will show how to configure TLS passthrough for your applicatio GW_TLS_PORT= ``` -{{< note >}}In a production environment, you should have a DNS record for the external IP address that is exposed, and it should refer to the hostname that the gateway will forward for.{{< /note >}} +{{< note >}}In a production environment, you should have a DNS record for the external IP address that is exposed, and it should refer to the hostname that the Gateway will forward for.{{< /note >}} ## Set up @@ -107,7 +107,7 @@ data: EOF ``` -This will create the **secure-app** service and a deployment. The secure app is configured to serve HTTPS traffic on port 8443 for the host app.example.com. For TLS termination, a self-signed TLS certificate, with the common name `app.example.com`, and key are used. The app responds to clients HTTPS requests with a simple text response "hello from pod $POD_HOSTNAME". +This will create the **secure-app** Service and a Deployment. The secure app is configured to serve HTTPS traffic on port 8443 for the host app.example.com. For TLS termination, a self-signed TLS certificate, with the common name `app.example.com`, and key are used. The app responds to clients HTTPS requests with a simple text response "hello from pod $POD_HOSTNAME". Run the following command to verify the resources were created: @@ -115,7 +115,7 @@ Run the following command to verify the resources were created: kubectl get pods,svc ``` -The output should include the **secure-app** pod and the **secure-app** service: +The output should include the **secure-app** pod and the **secure-app** Service: ```text NAME READY STATUS RESTARTS AGE @@ -125,7 +125,7 @@ NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE service/secure-app ClusterIP 192.168.194.152 8443/TCP 12s ``` -Create a gateway. This will create a TLS listener with the hostname `*.example.com` and a TLS mode of passthrough. Copy and paste this into your terminal. +Create a Gateway. This will create a TLS listener with the hostname `*.example.com` and passthrough TLS mode. Copy and paste this into your terminal. ```yaml kubectl apply -f - <}} It is possible to add an HTTPS listener on the same port that terminates TLS connections so long as the hostname does not overlap with the TLS listener hostname. {{< /note >}} -Create a TLSRoute that attaches to the gateway and routes requests to `app.example.com` to the `secure-app` service: +Create a TLSRoute that attaches to the Gateway and routes requests to `app.example.com` to the `secure-app` Service: ```yaml kubectl apply -f - <}}To route to a service in a namespace different from the TLSRoute namespace, create a [ReferenceGrant](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.ReferenceGrant) to permit the cross-namespace reference. {{< /note >}} +{{< note >}}To route to a Service in a Namespace different from the TLSRoute Namespace, create a [ReferenceGrant](https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1beta1.ReferenceGrant) to permit the cross-namespace reference. {{< /note >}} ## Send traffic @@ -185,7 +185,7 @@ Using the external IP address and port for NGINX Gateway Fabric, send traffic to {{< note >}}If you have a DNS record allocated for `app.example.com`, you can send the request directly to that hostname, without needing to resolve.{{< /note >}} -Send a request to the `secure-app` service on the TLS port with the `--insecure` flag. The `--insecure` flag is required because the `secure-app` is using self-signed certificates. +Send a request to the `secure-app` Service on the TLS port with the `--insecure` flag. The `--insecure` flag is required because the `secure-app` is using self-signed certificates. ```shell curl --resolve app.example.com:$GW_TLS_PORT:$GW_IP https://app.example.com:$GW_TLS_PORT --insecure -v From 12d01d1c52abf3cb4e58ca5f70a2a7e3386609b4 Mon Sep 17 00:00:00 2001 From: Kate Osborn <50597707+kate-osborn@users.noreply.github.com> Date: Thu, 15 Aug 2024 13:59:27 -0600 Subject: [PATCH 7/8] Update site/content/how-to/traffic-management/tls-passthrough.md Co-authored-by: Saylor Berman --- site/content/how-to/traffic-management/tls-passthrough.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/how-to/traffic-management/tls-passthrough.md b/site/content/how-to/traffic-management/tls-passthrough.md index 931ea5ea0e..b2e1ccce6a 100644 --- a/site/content/how-to/traffic-management/tls-passthrough.md +++ b/site/content/how-to/traffic-management/tls-passthrough.md @@ -107,7 +107,7 @@ data: EOF ``` -This will create the **secure-app** Service and a Deployment. The secure app is configured to serve HTTPS traffic on port 8443 for the host app.example.com. For TLS termination, a self-signed TLS certificate, with the common name `app.example.com`, and key are used. The app responds to clients HTTPS requests with a simple text response "hello from pod $POD_HOSTNAME". +This will create the **secure-app** Service and a Deployment. The secure app is configured to serve HTTPS traffic on port 8443 for the host app.example.com. For TLS termination, a self-signed TLS certificate, with the common name `app.example.com`, and key are used. The app responds to a client's HTTPS requests with a simple text response "hello from pod $POD_HOSTNAME". Run the following command to verify the resources were created: From e80d292531f3082ab7851704fa2d57b4bb92a382 Mon Sep 17 00:00:00 2001 From: Kate Osborn <50597707+kate-osborn@users.noreply.github.com> Date: Thu, 15 Aug 2024 13:59:35 -0600 Subject: [PATCH 8/8] Update site/content/how-to/traffic-management/tls-passthrough.md Co-authored-by: Saylor Berman --- site/content/how-to/traffic-management/tls-passthrough.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/site/content/how-to/traffic-management/tls-passthrough.md b/site/content/how-to/traffic-management/tls-passthrough.md index b2e1ccce6a..53395fbc20 100644 --- a/site/content/how-to/traffic-management/tls-passthrough.md +++ b/site/content/how-to/traffic-management/tls-passthrough.md @@ -153,7 +153,7 @@ EOF This Gateway will configure NGINX Gateway Fabric to accept TLS connections on port 443 and route them to the corresponding backend Services without decryption. The routing is done based on the SNI, which allows clients to specify a server name (like example.com) during the SSL handshake. -{{< note >}} It is possible to add an HTTPS listener on the same port that terminates TLS connections so long as the hostname does not overlap with the TLS listener hostname. {{< /note >}} +{{< note >}}It is possible to add an HTTPS listener on the same port that terminates TLS connections so long as the hostname does not overlap with the TLS listener hostname.{{< /note >}} Create a TLSRoute that attaches to the Gateway and routes requests to `app.example.com` to the `secure-app` Service: