Ingress-nginx: Question: How to achieve HTTPS from an AWS ELB to the nginx ingress controller (Layer7)

Created on 18 Mar 2019  路  4Comments  路  Source: kubernetes/ingress-nginx

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
Question

NGINX Ingress controller version:
0.23

Kubernetes version (use kubectl version):
1.11.5

Environment:
AWS

What happened:
Sorry for the question, but I did not see anywhere else to ask. I am running the nginx ingress controller behind a layer7 ELB, and I want the hop to the controller to be over HTTPS. Right now, I have to set service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" to get things to work. I have tried to specify service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" and then give Ingress objects a SSL secret with a self signed cert, but the connection just hangs. Is there anything else I need to do to get HTTPS from the ELB to nginx? (I want to use Layer7 not Layer4)

picture michaelajr

Most helpful comment

@aledbf After I turned on verbose logging I saw that there was an SSL handshake issue. Very low level logging. Something about not finding cypher match. After some research I was able to add the cyphers and protocols to the config map.

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
data:
  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"

There is also some talk about this here https://github.com/nginxinc/kubernetes-ingress/issues/69

Thanks for pushing me to turn on v=5 logging.

M

picture michaelajr on 18 Mar 2019
👍2

All 4 comments

@michaelajr please post the ingress controller pod logs

aledbf picture aledbf on 18 Mar 2019

@aledbf After I turned on verbose logging I saw that there was an SSL handshake issue. Very low level logging. Something about not finding cypher match. After some research I was able to add the cyphers and protocols to the config map.

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
data:
  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"

There is also some talk about this here https://github.com/nginxinc/kubernetes-ingress/issues/69

Thanks for pushing me to turn on v=5 logging.

M

michaelajr picture michaelajr on 18 Mar 2019
👍2

Links to the docs:

aledbf picture aledbf on 18 Mar 2019

Thank you @michaelajr - light at the end of the tunnel after 2 days!

amitsaha picture amitsaha on 2 Aug 2019
👍1
Was this page helpful?
0 / 5 - 0 ratings

Related issues

briananstett picture briananstett  路  3Comments
silasbw picture silasbw  路  3Comments
cehoffman picture cehoffman  路  3Comments
whereisaaron picture whereisaaron  路  3Comments
c-mccutcheon picture c-mccutcheon  路  3Comments