I'm trying to setup SSL termination for my EKS loadbalancer on an Apache Openwhisk deployment
kind: Service
metadata:
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 50m
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <arn>
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https-api
creationTimestamp: "2020-03-17T19:06:28Z"
labels:
app: owdev-openwhisk
chart: openwhisk-0.2.1
heritage: Helm
name: owdev-nginx
release: owdev
name: owdev-nginx
namespace: openwhisk
resourceVersion: "43288"
selfLink: /api/v1/namespaces/openwhisk/services/owdev-nginx
uid: 679858cf-6882-11ea-8746-02f532cfa957
spec:
clusterIP: <ip>
externalTrafficPolicy: Cluster
ports:
- name: http
nodePort: 31858
port: 80
protocol: TCP
targetPort: 80
- name: https-api
nodePort: 32653
port: 443
protocol: TCP
targetPort: 443
selector:
name: owdev-nginx
sessionAffinity: None
type: LoadBalancerThe service looks like this when deployed. With this configuration when I visit the endpoint in my browser I get:
400 Bad Request
The plain HTTP request was sent to HTTPS portbut internally:
curl -k -v https://owdev-nginx
works fine.
If I then swap the targetPort of https-api to http, the external endpoint works, but the internal one has a similar error.
Any suggestions as to what to tweak to get both external and internal(certificate ignored) requests flowing through it?
I appreciate this is similar to the Common Pitfalls section here: https://kubernetes-on-aws.readthedocs.io/en/latest/user-guide/tls-termination.html is there a way around it?
The reason you are seeing this error is due to an easily fixed configuration issue. When the client tries to access your site via HTTP, over port 80, the request is redirected to HTTPS, over port 443. However, nginx is expecting the original request to arrive using SSL over port 443.
Please let me know if it helps.
Similar problem: bad-request.