I have a Java application running inside tomcat server (which is inside a pod), which is configured to work with https.
I am using nginx ingress. The problem is, the nginx ingress is terminating the SSL and forwarding only plain http to the tomcat server (to the pod actually). Since the tomcat server is configured to work with only HTTPS, it is not accepting the traffic.
Following doesn’t work:
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
2
Answers
Finally I have found the answer:
I have to add the following 2 lines:
So the ingress is like this (I have also added some comment to describe and also to show which options I tried and didn't work, so that you don't waste your time):
Please see documentation https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough
SSL Passthrough is disabled by default and requires starting the controller with the –enable-ssl-passthrough flag.
So, you need to start your Nginx Ingress Controller with –enable-ssl-passthrough flag if you want to use annotation nginx.ingress.kubernetes.io/ssl-passthrough
Also, Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough invalidates all the other annotations set on an Ingress object.
EDIT :
If you use ingress annotation nginx.ingress.kubernetes.io/ssl-passthrough with –enable-ssl-passthrough=true flag for ingress controller, then the SSL Termination is happening at your Tomcat Server Pod. So, the SSL Server Certificate received by your client Browser is your Tomcat SSL Server Certificate. In this case, your client Browser will have to trust the Tomcat SSL Server Certificate. This SSL Passthrough is happening at Layer 4 TCP so NGINX Ingress Controller is not decrypting SSL Traffic from the Client Browser, it is just passing it through to the Tomcat Server Pod.
If you just use annotation nginx.ingress.kubernetes.io/backend-protocol: "HTTPS", then first SSL Termination is happening at your ingress controller. So, the SSL Server Certificate received by your client Browser is your Nginx Ingress Controller SSL Server Certificate and your client browser will have to trust it. And then the Communication from Nginx Ingress Controller to the Tomcat Pod is using another SSL Encryption. In this case your Nginx Ingress Controller will have to trust the Tomcat SSL Server Certificate and you have double SSL Encryption and Decryption.
If you use annotation nginx.ingress.kubernetes.io/force-ssl-redirect: "true" then all your http requests are redirected to https using 308 redirect http code. Are you calling http:// or https:// ?
Below are Code and Documentation links
https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/lua/lua_ingress.lua
https://github.com/openresty/lua-nginx-module
http://nginx.org/en/docs/http/ngx_http_proxy_module.html
Check how the /etc/nginx/nginx.conf changes inside the nginx controller pod when you make changes in the ingress resource