Comments (21)
eduardobaitello
commented on May 19, 2024
13
@voor
Thanks, that worked!
I just made a little different, appending the new server inside the http context using the http-snippet.
Something like this:
apiVersion: v1
kind: ConfigMap
metadata:
labels:
app: ingress-nginx
name: nginx-ingress-configuration
namespace: ingresns
data:
ssl-redirect: "false"
hsts: "true"
server-tokens: "false"
http-snippet: |
server {
listen 8000 proxy_protocol;
server_tokens off;
return 301 https://$host$request_uri;
}
This prevents overriding the original nginx.tmpl, ensuring more compatibility in case of upgrade the Nginx Ingress version.
from ingress-nginx.
voor
commented on May 19, 2024
11
We're currently using a slightly different configuration to support web sockets:
kind: Service
apiVersion: v1
metadata:
name: ingress-nginx
labels:
k8s-addon: ingress-nginx.addons.k8s.io
annotations:
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:...."
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: '443'
# See https://github.com/kubernetes/kubernetes/issues/36845
spec:
type: LoadBalancer
selector:
app: ingress-nginx
ports:
- name: http
port: 80
targetPort: http
- name: https
port: 443
targetPort: http
And would also be interested in a best practices for how to handle a redirect from the ingress controller that has support for web sockets.
from ingress-nginx.
aledbf
commented on May 19, 2024
9
@hsyed since 0.9-beta.3 is possible to add additional configuration to nginx using annotations.
In this case you just need to add:
annotations:
ingress.kubernetes.io/configuration-snippet: |
if ($http_x_forwarded_proto != 'https') {
return 301 https://$host$request_uri;
}
to the ingress rule.
from ingress-nginx.
dthomason
commented on May 19, 2024
8
I second voor's question. In order to enable websockets the controller must be set to L4 and this breaks the force ssl redirect. Please let me know if anyone has come to a solution for this.
from ingress-nginx.
eduardobaitello
commented on May 19, 2024
5
@voor Have you found a solution in how to handle ssl-redirects with L4 ELB and proxy-protocol enabled?
I need to use websockets too, and I don't know how to handle this.
from ingress-nginx.
aledbf
commented on May 19, 2024
4
@coulix the annotation ingress.kubernetes.io/ssl-redirect is not supported in the GCE ingress controller and the path /* should be / in the nginx ingress controller.
from ingress-nginx.
refl3ction
commented on May 19, 2024
4
For newer versions of nginx ingress, these annotations worked for me, in which nginx-ingress-internal is an AWS NLB:
annotations:
kubernetes.io/ingress.class: nginx-ingress-internal
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($http_x_forwarded_proto = 'http') {
return 301 https://$host$request_uri;
}
from ingress-nginx.
EvgeniGordeev
commented on May 19, 2024
2
@dpolicastro trying your example for EKS 1.18, NLB, ingress-nginx v.3.19.0 without success:
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($http_x_forwarded_proto = 'http') {
return 301 https://$host$request_uri;
}doesn't redirect from http to https on curl http://example.com/my/path. NB: worked fine on ELB aka CLB.
from ingress-nginx.
hsyed
commented on May 19, 2024
1
The following worked the first time around without using the proxy protocol, I did have to use the tmpl file from the 0.8.3 image as the contrib repo did not have release tags for 0.8.3 and the tmpl found there was incompatible.
...
{{- range $location := $server.Locations }}
...
if ($http_x_forwarded_proto = "http") {
return 301 https://$host$request_uri;
}
...
from ingress-nginx.
idanna
commented on May 19, 2024
1
@EvgeniGordeev From here:
Source/remote address preservation: With a Network Load Balancer, the original source IP address and source ports for the incoming connections remain unmodified. With Classic and Application load balancers, we had to use HTTP header X-Forwarded-For to get the remote IP address.
So you don't have the x-forwarded for when using NLB.
from ingress-nginx.
bprashanth
commented on May 19, 2024
This is useful when tiering loadbalancers, it's also why we have this image: https://github.com/kubernetes/contrib/blob/master/ingress/echoheaders-redirect/nginx.conf (but I guess you want the existing nginx ingress to adopt that config).
I think the general purpose redirect will surface as the outcome of discussion on both kubernetes/kubernetes#28443 and https://groups.google.com/forum/#!topic/kubernetes-sig-network/tPOvADUSoqc
I believe disucssion on those will converge in the start of 2017. Can you wait till then?
from ingress-nginx.
hsyed
commented on May 19, 2024
@bprashanth Yes 2017 is fine. I'll get a custom template going for now. I will give your image a look and see if I can adapt it. Thanks.
from ingress-nginx.
voor
commented on May 19, 2024
Also wanted to note that with proxy protocol on, the $http_x_forwarded_proto value is just - and therefore not usable in this scenario.
from ingress-nginx.
SomeoneWeird
commented on May 19, 2024
Any update on this?
from ingress-nginx.
od0
commented on May 19, 2024
@SomeoneWeird the latest image (gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.2) works great!
from ingress-nginx.
asmith60
commented on May 19, 2024
@od0 how does this work in the 0.9.0-beta.2 image? Was there an annotation/config added for per ingress resource HTTP --> HTTPS redirects? I cannot seem to find any mention of it in the changelog
from ingress-nginx.
od0
commented on May 19, 2024
@asmith60 no annotation needed, I believe it defaults to https redirect now if TLS is defined for the ingress. For example, using kube-lego, something like this would work:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: foo
annotations:
kubernetes.io/tls-acme: "true"
kubernetes.io/ingress.class: "nginx"
spec:
tls:
- secretName: foo-tls
hosts:
- foo.bar.com
rules:
- host: foo.bar.com
http:
paths:
- path: /
backend:
serviceName: foo
servicePort: 4444from ingress-nginx.
gregtap
commented on May 19, 2024
I am trying to use that on Google Cloud Engine.
Since everything seems fine from a conf perspective could it be an issue with outdated Ingress version on GCE?
Somehow as soon as I add kubernetes.io/ingress.class: "nginx" to my Ingress config it will stop working and routing properly giving 404s.
Working conf.
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: chefclub-tools
annotations:
kubernetes.io/ingress.global-static-ip-name: "test-ip"
ingress.kubernetes.io/ssl-redirect: "true" # Not working
spec:
tls:
- secretName: chefclub-tools-tls-secret
hosts:
- api.chefclub.tools
- auto-liker.chefclub.tools
rules:
- host: api.chefclub.tools
http:
paths:
- path: /*
backend:
serviceName: facebook-service
servicePort: 80Router not working
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: chefclub-tools
annotations:
kubernetes.io/ingress.class: "nginx" ############ added this line
kubernetes.io/ingress.global-static-ip-name: "test-ip"
ingress.kubernetes.io/ssl-redirect: "true"
spec:
tls:
- secretName: chefclub-tools-tls-secret
hosts:
- api.chefclub.tools
- auto-liker.chefclub.tools
rules:
- host: api.chefclub.tools
http:
paths:
- path: /*
backend:
serviceName: facebook-service
servicePort: 80> kubectl describe ing
Name: chefclub-tools
Namespace: default
Address:
Default backend: default-http-backend:80 (10.16.2.21:8080)
TLS:
chefclub-tools-tls-secret terminates api.chefclub.tools,auto-liker.chefclub.tools
Rules:
Host Path Backends
---- ---- --------
api.chefclub.tools
/* facebook-service:80 (<none>)
Annotations:
ssl-redirect: true
No events.from ingress-nginx.
voor
commented on May 19, 2024
Yes,
It's not pretty, though.
I stand up a very simple nginx configuration on another port (8081 or whatever) and just do a typical nginx SSL redirect:
# redirect port, just redirects to same endpoint on HTTPS, used since AWS ELB is always on HTTP.
server {
listen 8888 proxy_protocol;
return 301 https://$host$request_uri;
}
Just override the typical nginx.tmpl for the ingress configuration
kubectl --namespace ${NAMESPACE} create configmap ingress-nginx-template --from-file=nginx.tmpl=${WHEREEVER}/nginx.tmpl
from ingress-nginx.
marwatk
commented on May 19, 2024
For anyone arriving here from Google like I did, in current versions (I'm using 0.19) simply adding nginx.ingress.kubernetes.io/force-ssl-redirect: "true" to your annotations will enable redirect even with --enable-ssl-passthrough and nginx.ingress.kubernetes.io/ssl-passthrough: "true".
from ingress-nginx.
voor
commented on May 19, 2024
Nice, but will that handle the use case of proxy_protocol as well?
from ingress-nginx.
Related Issues (20)
- The ingress-nginx controller crashes due to `unknown directive "alias"` when using global snippets. HOT 4
- Custom error_page redirects not working HOT 3
- Not able to install ingress-nginx helm chart in private AKS clusters HOT 6
- Ingress Test Fails to Route Traffic to a Deployment in Browser HOT 3
- Removing NET_BIND_SERVICE cap from ingres-nginx as part of nonroot, ingress pod in crashlooopbackoff HOT 3
- 499 reflect on service HOT 14
- Same Path, multiple ports HOT 3
- Nginx ingress being proxied by cloudflare results in sporadic 520 using http2 to origin HOT 4
- Add plugin hook for adding new load balancing algorithms HOT 1
- DNS errors cause global-rate-limit-memcached-connect-timeout to not be respected. HOT 11
- Nginx Ingress: Helm chart not able to find the opentracing variable declared HOT 2
- Custom-Headers annotation not working with 1.10.1 (changes are visible in git tag for 1.10.1) HOT 9
- use affinity for nginx & backend pods by useage of commonLabels HOT 2
- Better support for Helm installs HOT 3
- Ingress returning 503s when using Topology Aware Routing and the controller has no endpoints in the zone HOT 4
- Stop using testrunner image
- nginx.ingress.kubernetes.io/modsecurity-snippet is ignored HOT 4
- admission controller name is more then 63 chars HOT 17
- Allow the Chart to create extra manifest HOT 1
- I'd like to configure the Nginx Ingress Controller to buffer upload file content into a temporary file instead of storing it in memory HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from ingress-nginx.