Ingress-nginx: nginx-ingress-controller always redirect to HTTPS regardless of Ingress annotations if host was not specified

Created on 22 Oct 2017  路  8Comments  路  Source: kubernetes/ingress-nginx

NGINX Ingress controller version:
nginx-ingress-controller:0.9.

Kubernetes version (use kubectl version):
Client Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.0", GitCommit:"6e937839ac04a38cac63e6a7a306c5d035fe7b0a", GitTreeState:"clean", BuildDate:"2017-09-28T22:57:57Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}
Server Version: version.Info{Major:"1", Minor:"8", GitVersion:"v1.8.1", GitCommit:"f38e43b221d08850172a9a4ea785a86a3ffa3b3a", GitTreeState:"clean", BuildDate:"2017-10-11T23:16:41Z", GoVersion:"go1.8.3", Compiler:"gc", Platform:"linux/amd64"}

Environment:

Cloud provider or hardware configuration:
OS (e.g. from /etc/os-release):
ubuntu 16.04
Kernel (e.g. uname -a):
Install tools:
kubeadm
Others:
What happened:

Name: ingress-nginx
Namespace: ingress-nginx
Labels:
Annotations: kubectl.kubernetes.io/last-applied-configuration={"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"ingress-nginx","namespace":"ingress-nginx"},"spec":{"ports":[{"name":"http","p...
Selector: app=ingress-nginx
Type: NodePort
IP: 10.111.30.41
Port: http 80/TCP
TargetPort: 80/TCP
NodePort: http 30972/TCP
Endpoints: 10.32.0.34:80
Port: https 443/TCP
TargetPort: 443/TCP
NodePort: https 30759/TCP
Endpoints: 10.32.0.34:443
Session Affinity: None
External Traffic Policy: Cluster
Events:

The ingress I have looks like this

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/rewrite-target: /
  creationTimestamp: 2017-10-21T22:19:47Z
  generation: 4
  name: rewrite
  namespace: ingress-nginx
  resourceVersion: "147471"
  selfLink: /apis/extensions/v1beta1/namespaces/ingress-nginx/ingresses/rewrite
  uid: f2854e6a-b6ad-11e7-b490-00155df86803
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: appsvc1
          servicePort: 80
        path: /something/
status:
  loadBalancer:
    ingress:
    - ip: 149.59.248.179

curl http://149.59.248.179:30972/something/
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.13.5</center>
</body>
</html>

What you expected to happen:
http response 200

How to reproduce it (as minimally and precisely as possible):
I followed the deployment guide using RBAC and bare metal.
Create ingress for a route without host

Anything else we need to know:
It seems to work if the host name is specified

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    ingress.kubernetes.io/rewrite-target: /
  creationTimestamp: 2017-10-21T22:19:47Z
  generation: 5
  name: rewrite
  namespace: ingress-nginx
  resourceVersion: "147825"
  selfLink: /apis/extensions/v1beta1/namespaces/ingress-nginx/ingresses/rewrite
  uid: f2854e6a-b6ad-11e7-b490-00155df86803
spec:
  rules:
  - host: rewrite.bar.com
    http:
      paths:
      - backend:
          serviceName: appsvc1
          servicePort: 80
        path: /something/
status:
  loadBalancer:
    ingress:
    - ip: 149.59.248.179

and curl
curl http://149.59.248.179:30972/something/ -H 'Host: rewrite.bar.com'

it works

$ curl http://149.59.248.179:30972/something/ -v -H 'Host: rewrite.bar.com'
*   Trying 149.59.248.179...
* TCP_NODELAY set
* Connected to 149.59.248.179 (149.59.248.179) port 30972 (#0)
> GET /something/ HTTP/1.1
> Host: rewrite.bar.com
> User-Agent: curl/7.54.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.13.5
< Date: Sat, 21 Oct 2017 22:36:01 GMT
< Content-Type: text/html
picture step42
👍6

Most helpful comment

Use the default nginx ingress-controller, and setting the ingress as below will be OK.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: geth
  annotations:
  namespace: xxp
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /eth
        backend:
          serviceName: geth
          servicePort: 8545
picture xiaoping378 on 10 Feb 2018
👍246 🎉6

All 8 comments

Could be related to https://github.com/kubernetes/ingress-nginx/issues/668

step42 picture step42 on 22 Oct 2017

Closing. This works as expected. If you don't send a particular Host you reach the default server. That server is configured with a SSL certificate and all HTTP traffic is redirected to HTTPS.
If you want to change this behavior, you can set ssl-redirect: "false" in the configuration configmap.

aledbf picture aledbf on 22 Oct 2017
👀3

If the certificate is not valid for any browser, what's the point of having one to begin with?

Even if it makes sense to be the way it is, I think it's fair to say that it's not what a user would expect as a normal behavior.

The same happened to me yesterday and there was no mention anywhere in the doc that the host field was mandatory to make it work (it's not).

So if you omit the host, things work as expected(gets redirected) but you get a browser red alert that you need to dismiss to access it.

I understand the reason for forcing SSL, but the SSL-redirect is not expected, nor documented AFAIK.

pothibo picture pothibo on 24 Oct 2017
👍5

Actually, it is documented in the annotation section of the ingress. It's just that it's mildly frustrating to try stuff but have to figure out where documentation for each stuff is.

I still think there's an abstract issue here where it's not clear what we should do when we start using this ingress. Maybe the problem lies in the documentation, maybe in the defaults, etc.

pothibo picture pothibo on 24 Oct 2017
🎉8 👍7

Use the default nginx ingress-controller, and setting the ingress as below will be OK.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: geth
  annotations:
  namespace: xxp
  annotations:
    kubernetes.io/ingress.class: "nginx"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  rules:
  - http:
      paths:
      - path: /eth
        backend:
          serviceName: geth
          servicePort: 8545
xiaoping378 picture xiaoping378 on 10 Feb 2018
👍246 🎉6

These Ingress annotations do not work for me. There must be something within the Ingress Controller that also needs to be done to disable ssl redirect.

AustinAgile picture AustinAgile on 5 Apr 2018
👍8

We have to add

ingress.kubernetes.io/ssl-redirect: "false"

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: basic-ingress
  annotations:
    ingress.kubernetes.io/ssl-redirect: "false"
tinkaalgogoi picture tinkaalgogoi on 17 May 2018
👍3 👎1

@tinkaalgogoi - At least in minikube running on a Mac, the annotation you mention above doesn't work. @xiaoping378 got it right in his response. It should be: nginx.ingress.kubernetes.io/ssl-redirect: "false" (nginx. is missing in your snippet. thanks to @antoineco for pointing this out on slack!

vdamle picture vdamle on 23 Jul 2018
👍14 🎉3 😄32
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cabrinoob picture cabrinoob  路  3Comments
silasbw picture silasbw  路  3Comments
geek876 picture geek876  路  3Comments
juliohm1978 picture juliohm1978  路  3Comments
c-mccutcheon picture c-mccutcheon  路  3Comments