To redirect any HTTP traffic to HTTPS on tls enabled hosts, I have added the below annotation to my ingress resources
nignx.ingress.kubernetes.io/force-ssl-redirect: true
With this when I curl the host in question, I get redirected as expected
But when I use a browser, the request to HTTP times out.
Now, I am not sure if it's something I am doing wrong at Nginx ingress conf as curl works? Any pointers please? Thanks!
complete annotaiotns:
annotations:
kubernetes.io/ingress.class: nginx-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
rules
rules:
- host: hostX
http:
paths:
- backend:
serviceName: svcX
servicePort: 8080
path: /
- host: hostY
http:
paths:
- backend:
serviceName: svcX
servicePort: 8080
path: /
tls:
- hosts:
- hostX
- hosts:
- hostY
secretName: hostY-secret-tls
Note: 1) The curl mentioned is to hostY in the rule above. 2) HTTPS to hostY via browser works and so cert is valid one.
As @mdaniel have mentioned your snippet shows nignx.ingress.kubernetes.io/force-ssl-redirect: true
but annotations should be strings. Notice that in your "complete" config, you have both force-ssl-redirect: "true"
(now correctly a string) and ssl-redirect: "false"
.
Simply remove annotation nginx.ingress.kubernetes.io/ssl-redirect: "false"
and leave just nignx.ingress.kubernetes.io/force-ssl-redirect: "true"
Also enable --enable-ssl-passthrough
. This is required to enable passthrough backends in Ingress objects.
Your annotation should look like:
kubernetes.io/ingress.class: nginx-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
If you defined hosts under TLS section they are going to be accessible only using https. HTTP requests are being redirected to use HTTPS. That is why you cannot access host via HTTP. Also you have to specify secret for host hostX
, otherwise the default certificate will be used for ingress. Or if you don't want to connect to host hostX
via HTTPS simply create different ingress without TLS section for it.