K
Q

Apache reverse proxy in front of an ingress-gce (GKE)

5/22/2019

I´m trying to overcome the ingress-gce limitation of redirect traffic from HTTP to HTTPS.

So, the easiest configuration whould be a Reverse Proxy with Apache2 but isn't working for me, this apache is in another VM apart from my kubernetes cluster, I just want to "proxy" the traffic so I can manipulate the request, redirect to https, etc

I´m need this specific solution to work as I can´t configure a nginx ingress at this point, it has to be done with this GCE ingress

My ingress yaml configuration is:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: my-reserved-address
    kubernetes.io/ingress.allow-http: "false"
spec:
  tls:
  - hosts:
    - mycustom.domain.com
    secretName: mydomain-com-certificate
  rules:
  - host: mycustom.domain.com
    http:
      paths:
      - path: /*
        backend:
          serviceName: tomcat-service
          servicePort: 80
      - path: /app/*
        backend:
          serviceName: spring-boot-app-service
          servicePort: 80

My apache virtualhost configuration is:

<VirtualHost *:80>
        ServerName myother.domain.com
        Redirect permanent / https://myother.domain.com/
</VirtualHost>

<VirtualHost *:443>
        ServerName myother.domain.com

        ProxyPreserveHost On
        ProxyRequests On
        ProxyPass / https://mycustom.domain.com/
        ProxyPassReverse / https://mycustom.domain.com/

        SSLEngine on
        SSLProxyEngine on
        SSLProtocol All -SSLv2 -SSLv3
        SSLCipherSuite ALL:!aNULL:!ADH:!eNULL:!LOW:!EXP:!RC4:+HIGH:+MEDIUM
        SSLCertificateKeyFile /etc/ssl/domain.com/domain.com-privatekey-nopass.pem
        SSLCertificateFile /etc/ssl/domain.com/domain.com.crt
        SSLCACertificateFile /etc/ssl/domain.com/IntermediateCA.crt
</VirtualHost>

Every piece of the puzzle is working independent as expected, I mean, if I go to any of the following

A) https://mycustom.domain.com/tomcat_context 
B) https://mycustom.domain.com/app/hello

I get the desired results, A) I get my web page and B) I get a simple response from my app

However, when I use the proxy http://myother.domain.com/tomcat_context I can see how it transform to but I always get a TEXT response from the cluster, always is

default backend - 404

I´m also checking the Apache2 logs and I can see how the correct invocation is being made internally by apache

[Wed May 22 18:39:40.757619 2019] [proxy:debug] [pid 14196:tid 140335314564864] proxy_util.c(2213): [client xxx.xxx.xxx.xxx:52636] AH00944: connecting https://mycustom.domain.com/tomcat_context to mycustom.domain.com:443

I can´t find an explanation why this is happening if all the pieces are working properly, at the end of the day my ingress-gce is like an external service to my apache proxy, it should be working already.

Also both configurations, the ingress and the apache have SSL configured and its the same exact certificate as both are running on the same domain

Any help will be appreciated

-- William Añez
apache
google-compute-engine
kubernetes
kubernetes-ingress

Similar Questions

How would an environment variable from an existing kubernetes deployment get added to a new deployment?
field is immutable k8s
How to use 'kubectl cp' with bash variables
Encryption, authentication and external access for Confluent Kafka on Kubernetes
Running k3s on with pi zero

1 Answer

5/22/2019

The ingress controller doesn't have a handler for myother.domain.com so produces a 404.

You either need to setup an additional Ingress host for myother.domain.com or turn ProxyPreserveHost Off so the proxy sends the mycustom.domain.com host name from the ProxyPass config.

How the tomcat application make use of the Host header is usually the decider for which way you need to map the header through the proxy.

-- Matt
Source: StackOverflow