Nginx Question posted in
The official documentation can be found here.

Do not terminate SSL at ingress level for Kubernetes – Nginx

I have a Java application running inside tomcat server (which is inside a pod), which is configured to work with https.
I am using nginx ingress. The problem is, the nginx ingress is terminating the SSL and forwarding only plain http to the tomcat server (to the pod actually). Since the tomcat server is configured to work with only HTTPS, it is not accepting the traffic.

Following doesn’t work:

nginx.ingress.kubernetes.io/ssl-passthrough: "true"
Tags:

2

Answers


  1. Chosen as BEST ANSWER
    0

    Finally I have found the answer:

    I have to add the following 2 lines:

    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

    So the ingress is like this (I have also added some comment to describe and also to show which options I tried and didn't work, so that you don't waste your time):

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: ingress-resource-staging
  namespace: staging-space
  annotations:
    kubernetes.io/ingress.class: nginx #You may deploy any number of ingress controllers within a cluster. When you create an ingress, you should annotate each ingress with the appropriate ingress.class to indicate which ingress controller should be used if more than one exists within your cluster.
    #If you do not define a class, your cloud provider may use a default ingress controller.
    #nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    ##Following 2 lines are important, otherwise the SSL is terminated at the ingress level and the
    ## traffic sent to the service is plain http and then tomcat complains that the host and port combination
    ## needs https connection (in the tomcat server we have enabled the HTTPS internally)
    ## We want to forward the HTTPS traffic to the pods
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

spec:
  #tls:
  #  - hosts:
  #      - yourhost.com
  rules:
    - host: yourhost.com
      http:
        paths:
          - pathType: Prefix
            path: /
            backend:
              service:
                name: my-app-service
                port:
                  #number: 8080
                  number: 8443

  2. 0

    Please see documentation https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/#ssl-passthrough

    SSL Passthrough is disabled by default and requires starting the controller with the –enable-ssl-passthrough flag.

    So, you need to start your Nginx Ingress Controller with –enable-ssl-passthrough flag if you want to use annotation nginx.ingress.kubernetes.io/ssl-passthrough

    Also, Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough invalidates all the other annotations set on an Ingress object.

    EDIT :

    If you use ingress annotation nginx.ingress.kubernetes.io/ssl-passthrough with –enable-ssl-passthrough=true flag for ingress controller, then the SSL Termination is happening at your Tomcat Server Pod. So, the SSL Server Certificate received by your client Browser is your Tomcat SSL Server Certificate. In this case, your client Browser will have to trust the Tomcat SSL Server Certificate. This SSL Passthrough is happening at Layer 4 TCP so NGINX Ingress Controller is not decrypting SSL Traffic from the Client Browser, it is just passing it through to the Tomcat Server Pod.

    If you just use annotation nginx.ingress.kubernetes.io/backend-protocol: "HTTPS", then first SSL Termination is happening at your ingress controller. So, the SSL Server Certificate received by your client Browser is your Nginx Ingress Controller SSL Server Certificate and your client browser will have to trust it. And then the Communication from Nginx Ingress Controller to the Tomcat Pod is using another SSL Encryption. In this case your Nginx Ingress Controller will have to trust the Tomcat SSL Server Certificate and you have double SSL Encryption and Decryption.

    If you use annotation nginx.ingress.kubernetes.io/force-ssl-redirect: "true" then all your http requests are redirected to https using 308 redirect http code. Are you calling http:// or https:// ?

    Below are Code and Documentation links

    https://github.com/kubernetes/ingress-nginx/blob/master/rootfs/etc/nginx/lua/lua_ingress.lua

    https://github.com/openresty/lua-nginx-module

    http://nginx.org/en/docs/http/ngx_http_proxy_module.html

    Check how the /etc/nginx/nginx.conf changes inside the nginx controller pod when you make changes in the ingress resource

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search