From ba3b5609b849fe03705dda428ef486c7fbbf359a Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Tue, 2 Jan 2018 14:01:36 -0300 Subject: [PATCH] Fix SSL Passthrough template issue and custom ports in redirect to HTTPS --- internal/ingress/controller/controller.go | 9 +++++++-- internal/ingress/controller/nginx.go | 6 ++---- rootfs/etc/nginx/template/nginx.tmpl | 11 ++++++----- 3 files changed, 15 insertions(+), 11 deletions(-) diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 002aaa0340..2a9817d2cd 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -476,6 +476,7 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([] loc.Whitelist = anns.Whitelist loc.Denied = anns.Denied loc.XForwardedPrefix = anns.XForwardedPrefix + loc.UsePortInRedirects = anns.UsePortInRedirects if loc.Redirect.FromToWWW { server.RedirectFromToWWW = true @@ -507,6 +508,7 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([] Whitelist: anns.Whitelist, Denied: anns.Denied, XForwardedPrefix: anns.XForwardedPrefix, + UsePortInRedirects: anns.UsePortInRedirects, } if loc.Redirect.FromToWWW { @@ -1219,9 +1221,12 @@ func (n *NGINXController) SetForceReload(shouldReload bool) { } func (n *NGINXController) extractAnnotations(ing *extensions.Ingress) { + glog.V(3).Infof("updating annotations information for ingress %v/%v", ing.Namespace, ing.Name) anns := n.annotations.Extract(ing) - glog.V(3).Infof("updating annotations information for ingress %v/%v", anns.Namespace, anns.Name) - n.listers.IngressAnnotation.Update(anns) + err := n.listers.IngressAnnotation.Update(anns) + if err != nil { + glog.Errorf("unexpected error updating annotations information for ingress %v/%v: %v", anns.Namespace, anns.Name, err) + } } // getByIngress returns the parsed annotations from an Ingress diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go index b7fe955161..1a8a06bc27 100644 --- a/internal/ingress/controller/nginx.go +++ b/internal/ingress/controller/nginx.go @@ -234,8 +234,6 @@ type NGINXController struct { // returns true if proxy protocol es enabled IsProxyProtocolEnabled bool - isSSLPassthroughEnabled bool - isShuttingDown bool Proxy *TCPProxy @@ -490,7 +488,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { }) } - if n.isSSLPassthroughEnabled { + if n.cfg.EnableSSLPassthrough { n.Proxy.ServerList = servers } @@ -636,7 +634,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error { Cfg: cfg, IsIPV6Enabled: n.isIPV6Enabled && !cfg.DisableIpv6, RedirectServers: redirectServers, - IsSSLPassthroughEnabled: n.isSSLPassthroughEnabled, + IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough, ListenPorts: n.cfg.ListenPorts, PublishService: n.GetPublishService(), } diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl index 1b37f0d9e7..144d3e92be 100644 --- a/rootfs/etc/nginx/template/nginx.tmpl +++ b/rootfs/etc/nginx/template/nginx.tmpl @@ -214,7 +214,7 @@ http { } {{ else }} map $pass_server_port $pass_port { - 443 443; + {{ $all.ListenPorts.HTTPS }} 443; default $pass_server_port; } {{ end }} @@ -678,6 +678,8 @@ stream { {{ end }} location {{ $path }} { + port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }}; + {{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }} set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}"; @@ -688,11 +690,12 @@ stream { set $ingress_name "{{ $ing.Rule }}"; set $service_name "{{ $ing.Service }}"; + {{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}} {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }} # enforce ssl on server side if ($redirect_to_https) { - {{ if ne $all.ListenPorts.HTTPS 443 }} - {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} + {{ if $location.UsePortInRedirects }} + {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri; {{ else }} return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host$request_uri; @@ -716,8 +719,6 @@ stream { } {{ end }} - port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }}; - {{ if not (empty $authPath) }} # this location requires authentication auth_request {{ $authPath }};