Ingress-nginx: nginx: HTTP->HTTPS redirect does not work

To be precise: The backend is served via both HTTP and HTTPS.

Having the same issue. Using kube-lego for certs. kubernetes.io/ingress.allow-http: "false" and ingress.kubernetes.io/ssl-redirect: "true" seem to have no effect.

It looks like there is also a check for server.SSLCertificate - would it work to create dummy cert to enable the redirects?

@neelance this is fixed in master. We will release a new beta on the weekend

@od0 kubernetes.io/ingress.allow-http is an annotation for the GCE ingress controller, not the nginx ingress controller

@aledbf thanks, didn't mean to confuse this issue :) should I open a separate one for ingress.kubernetes.io/ssl-redirect: "true" not appearing to work?

@od0 please wait the next release

@aledbf sounds good thank you

Also having this same issue with ingress.kubernetes.io/ssl-redirect: "true" not working. Was there a beta release this weekend that we can try?

@DanHoerst waiting bprashanth to publish https://github.com/kubernetes/ingress/pull/303

Please reopen if you still have issues.
Fix included in next release #303

@aledbf Sorry but this issue comes again with beta.3, so I rollback to beta.2 and it works well, maybe this issue should be reopen.

I believe I am also seeing this issue with beta.3 - (although, it is possibly a config error on my part).

I have an ingress like so:

  tls:
  - secretName: tls-secret
  rules:
  - host: foo.example.com
    http:
      paths:
      - path: /
        backend:
        .....

The nginx.conf file has a server entry for foo.example.com, but listening on port 80, not on 443.

If I make an ssl request I get just the default backend response - it does not match against my tls service.

I also tried this variant of the ingress:

 tls:
  - hosts:
    - foo.example.com
    secretName: tls-secret
  rules:
  - host:  foo.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: {{ template "fullname" . }}
          servicePort: {{ .Values.service.externalPort }}

Same result

Relevant: https://groups.google.com/forum/#!topic/kubernetes-users/QbxYX5jR7qg

I also tried this on beta.2 - but got the same behavior.

The nginx.conf file that is written clearly does not have a listener on 443 for the host named in the ingress.

@aledbf Can we get this issue reopened, or if it is not a bug some troubleshooting hints on how to track this down?

@wstrange please post the ingress rule to reproduce the issue

Here is an example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: openig-ingress
  annotations:
     ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - openig.default.example.com
    secretName: tls-secret
  rules:
  - host: openig.default.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: openig-openig
          servicePort: 80

This is on minikube, using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.3

@wstrange please use the image quay.io/aledbf/nginx-ingress-controller:0.89

aledbf@me:~/go/src/k8s.io/ingress$ kubectl exec -it -n kube-system nginx-ingress-controller-3199894280-z42tq -- curl -v -H "Host: openig.default.example.com" localhost:80
* Rebuilt URL to: localhost:80/
*   Trying ::1...
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: openig.default.example.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.11.12
< Date: Sun, 16 Apr 2017 18:31:24 GMT
< Content-Type: text/html
< Content-Length: 186
< Connection: keep-alive
< Location: https://openig.default.example.com/
< Strict-Transport-Security: max-age=15724800; includeSubDomains; 
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.11.12</center>
</body>
</html>
* Connection #0 to host localhost left intact
aledbf@me:~/go/src/k8s.io/ingress$ !2032
kubectl exec -it -n kube-system nginx-ingress-controller-3199894280-z42tq -- curl -v -H "Host: openig.default.example.com" https://localhost:443 -k
* Rebuilt URL to: https://localhost:443/
*   Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
*    server certificate verification SKIPPED
*    server certificate status verification SKIPPED
*    common name: Kubernetes Ingress Controller Fake Certificate (does not match 'localhost')
*    server certificate expiration date OK
*    server certificate activation date OK
*    certificate public key: RSA
*    certificate version: #3
*    subject: O=Acme Co,CN=Kubernetes Ingress Controller Fake Certificate
*    start date: Sun, 16 Apr 2017 18:19:35 GMT
*    expire date: Mon, 16 Apr 2018 18:19:35 GMT
*    issuer: O=Acme Co,CN=Kubernetes Ingress Controller Fake Certificate
*    compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: openig.default.example.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.11.12
< Date: Sun, 16 Apr 2017 18:31:29 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains; 
< 
CLIENT VALUES:
client_address=172.17.0.6
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://openig.default.example.com:8080/

SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001

HEADERS RECEIVED:
accept=*/*
connection=close
host=openig.default.example.com
user-agent=curl/7.47.0
x-forwarded-for=::1
x-forwarded-host=openig.default.example.com
x-forwarded-port=443
x-forwarded-proto=https
x-original-uri=/
x-real-ip=::1
x-scheme=https
BODY:
* Connection #0 to host localhost left intact
-no body in request-

changing the annotation to false ingress.kubernetes.io/ssl-redirect: "false"

aledbf@me:~/go/src/k8s.io/ingress$ kubectl exec -it -n kube-system nginx-ingress-controller-3199894280-z42tq -- curl -v -H "Host: openig.default.example.com" localhost:80
* Rebuilt URL to: localhost:80/
*   Trying ::1...
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: openig.default.example.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.11.12
< Date: Sun, 16 Apr 2017 18:33:11 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains; 
< 
CLIENT VALUES:
client_address=172.17.0.6
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://openig.default.example.com:8080/

SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001

HEADERS RECEIVED:
accept=*/*
connection=close
host=openig.default.example.com
user-agent=curl/7.47.0
x-forwarded-for=::1
x-forwarded-host=openig.default.example.com
x-forwarded-port=80
x-forwarded-proto=http
x-original-uri=/
x-real-ip=::1
x-scheme=http
BODY:
* Connection #0 to host localhost left intact
-no body in request-a

@aledbf That image worked!

Thanks

@wstrange can we close this issue then?

Had the same issue and that image worked for me as well, thanks!
I assume the fix will be included in the next 0.9 release (beta4?).

@aledbf I'm OK with closing

I assume the fix will be included in the next 0.9 release (beta4?).

yes

I having this same issue on beta6

Never mind... I have the same issue even if I switch containers so... it has to be something related to my config.

ingress.kubernetes.io/force-ssl-redirect: "true" works for me.

ingress.kubernetes.io/force-ssl-redirect: "true" works for me too.

• cluster version: 1.7.4
• nginx ingress controller: 0.9.0-beta.15 installed via helm chart

If you're wondering why this broke again after 0.9.0-beta.18, then you'll need to update your annotations to nginx.ingress.kubernetes.io/force-ssl-redirect: "true".

Also note that the redirect changed from a 301 to a 308 permanent redirect!

```
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

redirect works but the website does not work at all.

ingress.kubernetes.io/ssl-redirect: "true"

and\or

ingress.kubernetes.io/force-ssl-redirect: "true"

has no affect until adding the block with tls:

spec:
tls:

• hosts:
  
  
  
  • openig.default.example.com
    
    secretName: tls-secret
  
  

but with this block again the website does down

and I've already assign the SSL cert with

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:...
```