K
Q

nginx ssl3_get_record wrong version number 502 Bad Gateway

10/21/2018

I am deploying an Ingress on my K8S cluster. All my configs look good.

My Ingress is defined like this :

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/proxy-body-size: 50m
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/secure-backends: "true"
    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
  creationTimestamp: 2018-10-20T23:40:47Z
  generation: 1
  labels:
    type: jenkins
  name: jenkins-ingress
  namespace: helm-gcp-test-jenkins
  resourceVersion: "59946"
  selfLink: /apis/extensions/v1beta1/namespaces/helm-gcp-test-jenkins/ingresses/jenkins-tls
  uid: 91c5fd22-d4c1-11e8-a0e9-6691b5512bd6
spec:
  rules:
  - host: master.ingress.proj.csp-test.shoo.company.com
    http:
      paths:
      - backend:
          serviceName: jenkins-master
          servicePort: 8090
        path: /
status:
  loadBalancer:
    ingress:
    - ip: 35.187.16.8

The deployed Ingress looks like :

NAME          HOSTS                                                  ADDRESS         PORTS     AGE
jenkins   master.ingress.proj.csp-test.shoo.company.com  
35.187.16.8   80        21m

Since I'm deploying this in GCP, I have a LB as well.

As you can see the Ingress is supposed to route traffic to jenkins-master on port 8090

This service is present in the same namespace.

# kubectl get -n helm-gcp-test-jenkins svc jenkins-master
NAME             TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)              AGE
jenkins-master   ClusterIP   100.71.2.206   <none>        8090/TCP,30005/TCP   13m

From within the cluster if I do curl http://100.71.2.206:8090, I can successfully see the main page of my application, which means that setup is OK.

Now when I try to access the Ingress from my Browser, this is all that I see.

enter image description here

When I look at the logs of my Ingress controller pod, they have the following ERROR:

2018/10/20 23:44:05 [error] 1084#1084: *538 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.250.0.2, server: master.ingress.proj.csp-test.shoo.company.com, request: "GET / HTTP/1.1", upstream: "https://100.96.0.35:8090/", host: "master.ingress.proj.csp-test.shoo.company.com"
10.250.0.2 - [10.250.0.2] - - [20/Oct/2018:23:44:05 +0000] "GET / HTTP/1.1" 502 174 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" 438 0.002 [helm-gcp-test-jenkins-jenkins-master-8090] 100.96.0.35:8090 0 0.002 502 60a2a0827ecfa7f0f43997c3b90e5eea
2018/10/20 23:44:06 [error] 1084#1084: *542 SSL_do_handshake() failed (SSL: error:1408F10B:SSL routines:ssl3_get_record:wrong version number) while SSL handshaking to upstream, client: 10.250.0.2, server: master.ingress.proj.csp-test.shoo.company.com, request: "GET /favicon.ico HTTP/1.1", upstream: "https://100.96.0.35:8090/favicon.ico", host: "master.ingress.proj.csp-test.shoo.company.com", referrer: "http://master.ingress.proj.csp-test.shoo.company.com/"
10.250.0.2 - [10.250.0.2] - - [20/Oct/2018:23:44:06 +0000] "GET /favicon.ico HTTP/1.1" 502 174 "http://master.ingress.proj.csp-test.shoo.company.com/" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/12.0 Safari/605.1.15" 447 0.003 [helm-gcp-test-jenkins-jenkins-master-8090] 100.96.0.35:8090 0 0.002 502 80769268e1fe1fccd33ed2b58720672e

Not sure what this error is. Any ideas ? Am I using the wrong Annotations ?

--
kubernetes-ingress
nginx
nginx-ingress
ssl

Similar Questions

Creating Persistent Volumes in Kubernetes on Google cloud platform
Encrypting secret data in kubernetes etcd store
How to do variable substitution in Kubernetes manifests?
Kubernetes resource versioning

1 Answer

10/22/2018

Look at theofficial List of Annotation.

There is no nginx.ingress.kubernetes.io/secure-backends: "true". Also, you use the HTTP in this case you don't need to nginx.ingress.kubernetes.io/secure-backends: true".

The annotation nginx.ingress.kubernetes.io/ssl-passthrough instructs the controller to send TLS connections directly to the backend instead of letting NGINX decrypt the communication. See also TLS/HTTPS in the User guide. !!! note SSL Passthrough is disabled by default and requires starting the controller with the --enable-ssl-passthrough flag. !!! attention Because SSL Passthrough works on layer 4 of the OSI model (TCP) and not on the layer 7 (HTTP), using SSL Passthrough invalidates all the other annotations set on an Ingress object.

Make sure you enable ssl-passthrough in controller, or you can remove this annotation since you don't use the SSL.

-- Nick Rak
Source: StackOverflow