Kubernetes Ingress: SSL (HTTP -> HTTPS) redirect not working (Nginx Docker)

4/21/2019

I am using Kubernetes within Google Cloud Kubernetes Engine and have setup the following: - Nginx docker image (nginx:latest), which is hosting a web application - Kubernetes Deployment (yaml file) - Kubernetes Service (yaml file) - Kubernetes Secret with existing key and certificates (Wildcard PositiveSSL) - Kubernetes Ingress

Currently I have both HTTP and HTTPS working. However, I want to redirect any and all HTTP calls to HTTPS automatically, but don't seem to get it to be working.

I have tried many variations of the conf and script files below, and it doesn't seem to be able to redirect HTTP to HTTPS.

Any idea what I might be doing wrong here?

Please see below for my conf, yaml and docker files.

Nginx Conf:

server {
  listen 80;
  charset utf-8;
  root /usr/share/nginx/html;

  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect  http:// https://;
    proxy_pass              http://portal.domain.com;
    proxy_http_version 1.1;
    proxy_request_buffering off;
  }
}

server {
  listen 443 ssl;

  charset utf-8;
  root /usr/share/nginx/html;

  ssl_certificate       /etc/nginx/ssl/domain_com_full.crt;
  ssl_certificate_key   /etc/nginx/ssl/domain_com.key;

  location / {
    proxy_set_header        Host $host:$server_port;
    proxy_set_header        X-Real-IP $remote_addr;
    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header        X-Forwarded-Proto $scheme;
    proxy_redirect  http:// https://;
    proxy_pass              http://portal.domain.com;
    proxy_http_version 1.1;
    proxy_request_buffering off;
  }
}

Docker file:

FROM nginx:latest
COPY nginx.conf /etc/nginx/conf.d/default.conf
COPY domain_com_full.crt /etc/nginx/ssl/domain_com_full.crt
COPY domain_com.key /etc/nginx/ssl/domain_com.key
COPY dist /usr/share/nginx/html
EXPOSE 443 80

Deployment YAML (I use a script to fill in the revision part of the image):

apiVersion: apps/v1
kind: Deployment
metadata:
  name: domain-frontend-prd
spec:
  replicas: 2
  strategy:
    type: RollingUpdate
    rollingUpdate:
        maxSurge: 1
        maxUnavailable: 0
  selector:
    matchLabels:
      run: domain-frontend-prd
  template:
    metadata:
      labels:
        run: domain-frontend-prd
    spec:
      containers:
      - name: domain-frontend-image
        image: eu.gcr.io/domain-service/domain-frontend-image:{{REVISION_ID}}
        ports:
        - containerPort: 80
        - containerPort: 443
        readinessProbe:
          httpGet:
            path: /
            port: 80
          initialDelaySeconds: 5
          periodSeconds: 5
          successThreshold: 1

Service YAML:

apiVersion: v1
kind: Service
metadata:
  name: domain-frontend-service-prd
spec:
  type: NodePort
  selector:
    run: domain-frontend-prd
  ports:
  - protocol: TCP
    port: 443
    targetPort: 443
    name: https-port
  - protocol: TCP
    port: 80
    targetPort: 80
    name: http-port

Ingress YAML (The Secret is working, as the HTTPS call also works + static IP is also there and working):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: domain-frontend-ingress-prd
  annotations:
    kubernetes.io/ingress.global-static-ip-name: kubernetes-ingress
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - portal.domain.com
    secretName: domain-tls
  backend:
    serviceName: domain-frontend-service-prd
    servicePort: 80
  rules:
  - host: portal.domain.com
    http:
      paths:
        - path: /
          backend:
            serviceName: domain-frontend-service-prd
            servicePort: 80
-- vv01
google-kubernetes-engine
https
kubernetes
kubernetes-ingress
ssl

1 Answer

5/5/2019

Through extensive search I have found out that apparently the standard Ingress controller in Google Cloud Kubernetes engine, does not support redirect to HTTPS.

In order to be able to resend traffic to HTTPS (from HTTP), you need to install the NGINX Ingress controller according to this tutorial/documentation:

https://cloud.google.com/community/tutorials/nginx-ingress-gke

This has resolved my issue.

-- vv01
Source: StackOverflow