Kubernetes ingress nginx redirect to https

3/3/2021

To redirect any HTTP traffic to HTTPS on tls enabled hosts, I have added the below annotation to my ingress resources

nignx.ingress.kubernetes.io/force-ssl-redirect: true

With this when I curl the host in question, I get redirected as expected

enter image description here

But when I use a browser, the request to HTTP times out.

Now, I am not sure if it's something I am doing wrong at Nginx ingress conf as curl works? Any pointers please? Thanks!

complete annotaiotns:

   annotations:
    kubernetes.io/ingress.class: nginx-ingress
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 100m
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
    nginx.ingress.kubernetes.io/ssl-passthrough: "false"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"

rules

 rules:
  - host: hostX
    http:
      paths:
      - backend:
          serviceName: svcX
          servicePort: 8080
        path: /
  - host: hostY
    http:
      paths:
      - backend:
          serviceName: svcX
          servicePort: 8080
        path: /
  tls:
  - hosts:
    - hostX
  - hosts:
    - hostY
    secretName: hostY-secret-tls

Note: 1) The curl mentioned is to hostY in the rule above. 2) HTTPS to hostY via browser works and so cert is valid one.

-- pa1
kubernetes
nginx-ingress

1 Answer

3/3/2021

As @mdaniel have mentioned your snippet shows nignx.ingress.kubernetes.io/force-ssl-redirect: true but annotations should be strings. Notice that in your "complete" config, you have both force-ssl-redirect: "true" (now correctly a string) and ssl-redirect: "false" .

Simply remove annotation nginx.ingress.kubernetes.io/ssl-redirect: "false" and leave just nignx.ingress.kubernetes.io/force-ssl-redirect: "true" Also enable --enable-ssl-passthrough. This is required to enable passthrough backends in Ingress objects.

Your annotation should look like:

kubernetes.io/ingress.class: nginx-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"

If you defined hosts under TLS section they are going to be accessible only using https. HTTP requests are being redirected to use HTTPS. That is why you cannot access host via HTTP. Also you have to specify secret for host hostX, otherwise the default certificate will be used for ingress. Or if you don't want to connect to host hostX via HTTPS simply create different ingress without TLS section for it.

Take a look: .

-- Malgorzata
Source: StackOverflow