K
Q

Nginx ingress controller still redirect to SSL

12/21/2018

I am experiencing this issue. My application needs to receive connection under SSL only with WebSocket. HTTP requests should be forced to not being redirected. My ingress configuration is

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
 name: in-camonline
 namespace: cl5
 annotations: 
  kubernetes.io/ingress.class: "nginx"
  nginx.org/websocket-services: "svc-ws-api"
  nginx.ingress.kubernetes.io/ssl-redirect: "false"
  nginx.ingress.kubernetes.io/force-ssl-redirect: "false"
  ingress.kubernetes.io/affinity: "ClientIP"
spec:
 tls:
  - hosts:
    - foo.bar.com
    secretName: cl5-secret
 rules:
 - host:  foo.bar.com
   http:
    paths:
     - path: /socket.io
       backend:
        serviceName: svc-ws-api
        servicePort: 8000
     - path: /
       backend:
        serviceName: svc-http-service
        servicePort: 80

I also disabled the ssl-redirect globally adding an item into the ConfigMap

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-configuration
  namespace: ingress
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
data:
        #use-proxy-protocol: "false"
 ssl-redirect: "false"

Now if I do request using curl, requests won't being redirected. If I try to run my front-end application every request after the WSS will be forced to being redirected to use HTTPS

Request URL: http://foo.bar.com/2/symbols
Request Method: OPTIONS
Status Code: 307 Internal Redirect
Referrer Policy: no-referrer-when-downgrade

Any suggestion about how to achieve that?

-- Giorgio Cerruti
kubernetes

Similar Questions

storing the configuration used in ConfigMap "kubeadm-config" in the "kube-system" Namespace
Openshift readiness probe not executed
How to have the static ELB endpoint for kubernates deployments
Is that possible to highlight all the pods using ONE service?
Docker volume and kubernetes volume
Unable to authenticate the request" err="invalid bearer token

2 Answers

10/2/2019

There is another solution.

If you want to disable HSTS just make the max-age zero. like this!!

nginx.ingress.kubernetes.io/configuration-snippet: |  
if ($scheme = https) {   
  add_header  Strict-Transport-Security "max-age=0;";  
}

link : https://justin-g.tistory.com/176

-- kokojustin
Source: StackOverflow
1/3/2019

Finally, I sorted it out. If someone is reading this, easy you are not alone!

Jokes aside, nginx-controller was setting header Strict-Transport-Security after the first HTTPS call (socket.io polling in my case). This header forces the browser to use TLS for the next requests. You can read more about this header here https://developer.mozilla.org/it/docs/Web/HTTP/Headers/Strict-Transport-Security

What I did is to disable the option adding the entry hsts: false on the ingress-controller's ConfigMap object. You can find more here https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#hsts Hope this can help you :)

-- Giorgio Cerruti
Source: StackOverflow