Hostname (SNI) missing while using nginx ingress SSL Passtrough to underlying service

6/24/2020

I'm trying to implement SSL Passtrough with nginx-ingress-controller. This is my Ingress Object:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
  labels:
    my-label: example
  name: example
  namespace: example
spec:
  rules:
  - host: '*.example.com'
    http:
      paths:
      - backend:
          serviceName: example
          servicePort: 8443
        path: /

The --enable-ssl-passtrough flag is present in the controller args.

When request is coming trough ingress controller to my underlying service I'm trying to parse the SNI to find out what domain was used to find out the certificate I should present, but the service cannot find the SNI and returns this error:

{"level":"debug","ts":1592992137.1836417,"msg":"Error getting server name","error":"No hostname"}

Does nginx-ingress-controller remove the SNI when parsing? Or what may be the reason for such behavior?

Thanks in advance for help

-- Morishiri
kubernetes
nginx
nginx-ingress

1 Answer

6/25/2020

I contacted nginx-ingress developers directly and I got information that the reason this is not working is the wildcard domain, which is not supported by nginx-ingress.

Everything else is configured correctly and when changing *.example.com into something specific (e.g. whatever.example.com) it works correctly.

-- Morishiri
Source: StackOverflow