To redirect any HTTP traffic to HTTPS on tls enabled hosts, I have added the below annotation to my ingress resources
nignx.ingress.kubernetes.io/force-ssl-redirect: true
With this when I curl the host in question, I get redirected as expected
But when I use a browser, the request to HTTP times out.
Now, I am not sure if it's something I am doing wrong at Nginx ingress conf as curl works? Any pointers please? Thanks!
complete annotaiotns:
annotations:
kubernetes.io/ingress.class: nginx-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/ssl-passthrough: "false"
nginx.ingress.kubernetes.io/ssl-redirect: "false"
rules
rules:
- host: hostX
http:
paths:
- backend:
serviceName: svcX
servicePort: 8080
path: /
- host: hostY
http:
paths:
- backend:
serviceName: svcX
servicePort: 8080
path: /
tls:
- hosts:
- hostX
- hosts:
- hostY
secretName: hostY-secret-tls
Note:
As @mdaniel have mentioned your snippet shows nignx.ingress.kubernetes.io/force-ssl-redirect: true
but annotations should be strings. Notice that in your "complete" config, you have both force-ssl-redirect: "true"
(now correctly a string) and ssl-redirect: "false"
.
Simply remove annotation nginx.ingress.kubernetes.io/ssl-redirect: "false"
and leave just nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
Also enable --enable-ssl-passthrough
. This is required to enable passthrough backends in Ingress objects.
Your annotation should look like:
kubernetes.io/ingress.class: nginx-ingress
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
If you defined hosts under TLS section they are going to be accessible only using https. HTTP requests are being redirected to use HTTPS. That is why you cannot access host via HTTP. Also you have to specify secret for host hostX
, otherwise the default certificate will be used for ingress. Or if you don't want to connect to host hostX
via HTTPS simply create different ingress without TLS section for it.