Ingress-nginx: Ingress with app-root and force-ssl-redirect is not redirecting to HTTPS

Created on 12 Oct 2018 · 16Comments · Source: kubernetes/ingress-nginx

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
BUG REPORT

NGINX Ingress controller version:
0.19.0

Kubernetes version (use kubectl version):
Server Version: v1.10.5

Environment:

Cloud provider or hardware configuration: AWS
OS (e.g. from /etc/os-release): Debian GNU/Linux 8 (jessie)
Kernel (e.g. uname -a): 4.4.121-k8s
Install tools: kops

What happened:
The ingress controller is set up with TLS termination at the ELB. The Ingress is set with with app-root and force-ssl-redirect. The request is not redirecting to HTTPS correctly.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: kibana-ingress
  namespace: monitoring
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/app-root: "/_plugin/kibana"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  rules:
  - host: foo.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: elasticsearch
          servicePort: 80

$ curl -I -k https://foo.example.com/
HTTP/1.1 302 Moved Temporarily
Content-Length: 161
Content-Type: text/html
Date: Fri, 12 Oct 2018 18:45:25 GMT
Location: http://foo.example.com/_plugin/kibana
Server: nginx/1.15.3
Connection: keep-alive

What you expected to happen:

I expect the redirect to target HTTPS.

lifecyclrotten

Source

chmking

👍3

Most helpful comment

But the documentation of the annotations states "When using SSL offloading outside of cluster (e.g. AWS ELB) it may be useful to enforce a redirect to HTTPS even when there is no TLS certificate available. This can be achieved by using the nginx.ingress.kubernetes.io/force-ssl-redirect: "true" annotation in the particular resource."

It specifically mentions that you terminate on the elb and that you don't need a TLS cert

I'm having the same issue just without app-root and I just can't get the redirect to work

Hermain on 10 Jan 2019

👍12

All 16 comments

@chmking The force redirect only works if you specify the TLS part of the ingress, as the following:

spec:
  tls:
  - hosts:
    - foo.bar.com
    secretName: foobar

But this will make HTTP port unnavailable. Maybe you can set something like use the annotation nginx.ingress.kubernetes.io/permanent-redirect: https://foo.example.com/_plugin/kibana in this vhost, but I don't know if this is going to generate a loop :) Or only the ssl-redirect directive.

BTW, this is specified in the template here: {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCert.PemFileName)) $location.Rewrite.SSLRedirect)) }}

rikatz on 13 Oct 2018

It specifically mentions that you terminate on the elb and that you don't need a TLS cert

I'm having the same issue just without app-root and I just can't get the redirect to work

Hermain on 10 Jan 2019

👍12

Same problem here, anyone could help ?

tdien105 on 21 Jan 2019

👍1

@rikatz Does this mean I need a cert for the ingress that is separate from the cert (ACM in my case) used for the load balancer if you want to be able to use force-ssl-redirect?

trueinviso on 7 Feb 2019

Hi guys, is there any workarround / solution for this issue, I also am affected just wanted to check if there is new information to share. Thanks

motarski on 11 Feb 2019

@motarski I was able to get mine to work by rolling back to the previous version, here's what I did..

Update:

Someone came up with a better solution in this other thread.

trueinviso on 12 Feb 2019

👍2

@Hermain did you manage to solve your issue? I've got the same problem.

christiansaiki on 25 Feb 2019

I am working on this, I will push a PR hopefully in the upcoming few days.

nzoueidi on 18 Mar 2019

👍6 🎉2 😄1

@nzoueidi Any news on this issue ?

marcossantiago on 25 Apr 2019

This is should be okay while we are using use-forwarded-headers: "true" in the L7 configmap https://github.com/kubernetes/ingress-nginx/blob/master/deploy/provider/aws/patch-configmap-l7.yaml#L11

nzoueidi on 20 May 2019

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

fejta-bot on 18 Aug 2019

anyone has a solution, same issue here

swandive0209 on 7 Sep 2019

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

fejta-bot on 7 Oct 2019

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

fejta-bot on 6 Nov 2019

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.