Ingress-nginx: ssl-passthrough terminates TLS even when not expected to

Created on 1 Jun 2017  路  8Comments  路  Source: kubernetes/ingress-nginx

I'm trying to get TLS passthrough to the inner pod with nginx-controller 0.9.0-beta.7

Ingress:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/force-ssl-redirect: "false"
    ingress.kubernetes.io/ssl-passthrough: "true"
    kubernetes.io/ingress.allow-http: "false"
  name: ingress-foobar
spec:
  backend:
    serviceName: foobar-service
    servicePort: 443
  rules:
  - host: foobar.modio.se
    http:
      paths:
      - backend:
          serviceName: foobar-service
          servicePort: 443
  tls:
  - hosts:
    - foobar.modio.se

However, when performing a curl request on the ingress, I'm getting the TLS cert from the ingress, and not from the Pod.

Advice on how to debug this further would be welcome. Attached is the generated nginx conf, one foobar, one barfoo.
nginx.txt

picture Spindel
👍1

Most helpful comment

@Spindel was this addressed?

picture dghubble on 23 Jan 2018
👍3

All 8 comments

@Spindel remove the tls section and only leave the annotation ingress.kubernetes.io/ssl-passthrough: "true"

aledbf picture aledbf on 1 Jun 2017

Attempting that gives me an ingress configured on port 80, but nothing on port 443.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
      name: ingress-foobar
      annotations:
          ingress.kubernetes.io/ssl-passthrough: "true"
spec:
  backend:
      serviceName: foobar-service
      servicePort: 443
  rules:
  - host: foobar.modio.se
    http:
      paths:
      - backend:
          serviceName: foobar-service
          servicePort: 443
Spindel picture Spindel on 1 Jun 2017

@Spindel ssl passthrough in the nginx ingress controller means that all the traffic received in port 443 will be sent to the foobar-service in port 443. There is no nginx listen server for that port (please check the bottom of the generated nginx.conf running kubectl exec <nginx pod> cat /etc/nginx/nginx.conf)

aledbf picture aledbf on 1 Jun 2017

Right, so how do I prevent http => https promotion from nginx where i use TLS passthrough?

I'm attempting to do something that I thought would be simple, forward https => https and http=>http on the pod.

Spindel picture Spindel on 1 Jun 2017

so, After restarting everyhing and going from a simple ssl-passthrough as this:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/ssl-passthrough: "true"
  name: ingress-foobar
spec:
  rules:
  - host: foobar.modio.se
    http:
      paths:
      - backend:
          serviceName: foobar-service
          servicePort: 443

I have achieved ssl-passthrough!

However, http is also promoted to https in nginx, which completely breaks the point for us. Attempting to specify both http and https for the same backend (through ingress) works "sometimes" as it appears dependent on the _order_ of the backends found if backend traffic is directed to http or https port.

This can be verified in the nginx config and the diff output from the controller.

So, I'm still not closer to a functional setup, but at least TLS ends up in the proper place, while HTTP ends up in the wrong place.

Spindel picture Spindel on 1 Jun 2017
👍1

so, further than that, since nginx-ingress listens on port 80 and redirects data to service:443, we can no longer even detect clear-text access and redirect or reject it.

Spindel picture Spindel on 1 Jun 2017

@Spindel was this addressed?

dghubble picture dghubble on 23 Jan 2018
👍3

I am having precisely this issue -- 301 redirect from http to https .. with a barebones ingress resource spec same as above; for testing purposes, all backends are http with no TLS

PaulCharlton picture PaulCharlton on 25 Jan 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

boazj picture boazj  路  3Comments
lachlancooper picture lachlancooper  路  3Comments
yuyang0 picture yuyang0  路  3Comments
bashofmann picture bashofmann  路  3Comments
smeruelo picture smeruelo  路  3Comments