Describe the bug
A clear and concise description of what the bug is.
Using 1.2.0 version of the ingress controller, redirect-to-https is not working. http request is not getting redirected to https, dont see 301 returned from the nginx.
To Reproduce
Here are the config files
deployment file
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
name: nginx-ingress
namespace: nginx-ingress
spec:
replicas: 1
selector:
matchLabels:
app: nginx-ingress
template:
metadata:
labels:
app: nginx-ingress
spec:
serviceAccountName: nginx-ingress
containers:
- image: nginx/nginx-ingress:1.2.0
name: nginx-ingress
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
args:
- -nginx-configmaps=$(POD_NAMESPACE)/nginx-ingress-config
- -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
#- -v=3 # Enables extensive logging. Useful for trooublshooting.
volumeMounts:
- name: config-volume
mountPath: /etc/nginx/custom-snippets/
volumes:
- name: config-volume
configMap:
name: cors-config
Service file
apiVersion: v1
kind: Service
metadata:
name: nginx-ingress
namespace: nginx-ingress
annotations:
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <aws ssl arn>
# Unfortunately, we cant use ACM certs from another account:(https://forums.aws.amazon.com/thread.jspa?threadID=231116)
spec:
type: LoadBalancer
ports:
- port: 80
targetPort: 80
name: http
- port: 443
targetPort: 80
name: https
selector:
app: nginx-ingress
ConfigMap
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-ingress-config
namespace: nginx-ingress
data:
proxy-protocol: "True"
real-ip-header: "proxy_protocol"
set-real-ip-from: "0.0.0.0/0"
proxy-connect-timeout: "3600s"
proxy-read-timeout: "3600s"
redirect-to-https: "True"
#hsts: "True"
#ssl-redirect: "false"
#use-proxy-protocol: "true"
See the following in the nginx pod (at conf.d/nginx-ingress-nginx-ingress.conf)
server {
listen 80 proxy_protocol;
set_real_ip_from 0.0.0.0/0;
real_ip_header proxy_protocol;
server_tokens on;
server_name blah.com;
if ($http_x_forwarded_proto = 'http') {
return 301 https://$host$request_uri;
}
Expected behavior
http request should be redirected to https
Your environment
1.2.0
Major:"1", Minor:"10", GitVersion:"v1.10.3", GitCommit:"2bba0127d85d5a46ab4b778548be28623b32d0b0", GitTreeState:"clean", BuildDate:"2018-05-28T20:13:43Z", GoVersion:"go1.9.3", Compiler:"gc", Platform:"linux/amd64"
Kubernetes platform (e.g. Mini-kube or GCP)
AWS
Using NGINX or NGINX Plus
NGINX
Additional context
Add any other context about the problem here. Any log files you want to share.
@achandak123 thanks for providing all the details.
To successfully use redirect-to-https feature, it is required that the protocol between ELB and NGINX is either http or https. Only in that case the header X-Forwarded-For is set by ELB, which is required by the redirect-to-https feature.
Consider changing service.beta.kubernetes.io/aws-load-balancer-backend-protocol: to http for your case.
Thanks @pleshakov for the prompt response.
I had to modify the following config as well to make it work:
kind: ConfigMap
apiVersion: v1
metadata:
name: nginx-ingress-config
namespace: nginx-ingress
data:
proxy-connect-timeout: "3600s"
proxy-read-timeout: "3600s"
redirect-to-https: "True"
#hsts: "True"
#ssl-redirect: "false"
#use-proxy-protocol: "true"
Most helpful comment
Thanks @pleshakov for the prompt response.
I had to modify the following config as well to make it work: