K
Q

Kubernetes - JBoss application server Management console login not working with Nginx Ingress SSL offloading

11/4/2021

We are using Nginx ingress operator version 0.4.0 and the controller version 2.0.0, and JBoss Wildfly v24.0.1.

kubeadm, kubelet & kubectl version 1.21.2.

Our Ingress looks like the below, it's configured to terminate SSL as per the Nginx documentation.

Everything is working as expected when accessing the application from the browser. Couple of applications deployed on JBoss. The URLs are running on https and presenting the SSL cert added in the K8 secret. Except for the JBoss management console. After this configuration, the console login fails with the 403 forbidden error. When we disable https and access it through http it starts working. Our guess is that the Ingress/Controller is not sending enough information (headers) to the JBoss due to which it's not aware of SSL offloading.

Please help us pinpoint the configuration that is missing.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  tls:
  - hosts:
    - example.com
    secretName: tls-ca
  rules:
  - host: example.com
    http:
      paths:

      ...

HTTP request details: HTTP request details

Request headers:

POST /management HTTP/1.1
Host: example.com
Connection: keep-alive
Content-Length: 380
Authorization: Digest username="xyz", realm="ManagementRealm", nonce="AAAAAQABDCwbw5Jvnvk6cLHU9ClZOEIx0snufDEQubBLPUEk1zWV3k2pytE=", uri="/management", algorithm=MD5, response="c93b380bb42bd251f09c7e48b122e574", opaque="00000000000000000000000000000000", qop=auth, nc=00000003, cnonce="da33611075a1d9f9"
sec-ch-ua: "Google Chrome";v="95", "Chromium";v="95", ";Not A Brand";v="99"
Accept: application/dmr-encoded
Content-Type: application/dmr-encoded
X-Management-Client-Name: HAL
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: https://example.com
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://example.com/console/index.html
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
-- Taha
jboss
kubernetes
nginx-ingress
ssl

Similar Questions

Kubernetes Jenkins Plugin Creating more resources for pending slaves
pod/container name resolution does not work outside containers
Connect client and server in kubernetes cluster
istio allowing connection to HTTPS url without any service entry
Pods not communicating when running in cloud as opposed to minikube

0 Answers