-
Notifications
You must be signed in to change notification settings - Fork 8.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
308 redirect loop when setting "force-ssl-redirect" to "true" #1957
Comments
Also happening with;
|
The same thing happens to me with config
on version 0.10.0 |
Also seeing this problem. I believe it was introduced in this PR https://github.com/kubernetes/ingress-nginx/pull/1854/files We have ELBs in front of our ingress which terminate the TLS connection and connect to the ingress controllers over I believe this to be a perfectly valid setup and I believe the intention of this change was to stop the case where an upstream load balancer was receiving an If the upstream proto is @aledbf Would you mind confirming my suspicions of the intention? |
@danielfm @JoelSpeed please use |
@aledbf Can I ask what you've changed? |
@aledbf this image fixed the issue for me. |
@JoelSpeed you are right, that PR checks the variables $scheme and $pass_access_scheme
|
@aledbf I think lines two and three of that table should be swapped. If Similarly if |
@aledbf |
Please keep in mind we cannot differentiate a connection from a client or a load balancer. With that in mind if you make a request to NGINX using https we should not redirect (again) to https. |
I don't think I follow here. If a client connects directly to the ingress controller, then the ingress-nginx/rootfs/etc/nginx/template/nginx.tmpl Lines 197 to 200 in 3bc2c68
The only case when you would get a If that isn't the case could you quickly explain a scenario where you'd get |
The load balancer uses HTTPS to connect to NGINX or a client sends the X-Forwarded-Proto header |
That's what I was suggesting, sorry, I didn't make that too clear
Ends up with
|
What's the difference handling a connection between a load balancer and direct client? |
@JoelSpeed just to be clear, I think you are right and the table should be
but this issue has already bit me too many times. |
Please test quay.io/aledbf/nginx-ingress-controller:0.319. It contains ^^ |
I'm getting Image pull failures, looks like that image didn't push to quay |
The quay.io/aledbf/nginx-ingress-controller:0.318 image also fixed a problem I was having where: nginx.ingress.kubernetes.io/ssl-passthrough: "true" was being ignored. |
Please try again |
Works for me 👍 |
@JoelSpeed are you ok with the change in the redirect map? |
Yeah, I think this is a good solution |
Hi, just had a similary problem ... trying to configure a catch all ingress like this:
I'm trying to reach the service via plain HTTP and there should be NO redirect, but:
I don't unterstand why i get a redirect if i'm connecting via HTTP ... it i set x-forwarded-for to https the request is plain http and i get an answer from my service. Is there anything else i have to configure? |
Based on https://github.com/kubernetes/ingress-nginx/blob/master/docs/examples/rewrite/README.md |
It appears that this may be an issue again. I am using kubernetes on AWS and this is what my ingress looks like:
I am terminating TLS at the load balancer and I was getting the infinite redirect loop when I turned on
Look for:
The newest version right now is 0.22.0:
and I changed it to:
It appears that this was fixed in the previous version, and then some new changes broke it again. |
@trueinviso , in my case – also using the controller behind an AWS ELB – the infinite redirect loop was caused by a (documented) breaking change introduced in v0.22.0 regarding forwarded headers. Setting |
@bfin Thanks! That fixes it. I'm not sure I would have been able to figure that out on my own haha. |
Thanks @bfin ! works for me on 0.22.0 behind an AWS ELB |
Thanks @bfin this fixed our issues as well |
Tried the above |
I had the same problem and fixed with |
It would seem that when using:
I do not get X-forwarded-for headers even when I have Does anyone know how to get the X-Forwarded-For headers to propagate over the http to https redirect? |
Traffic Flow ConfigMAp apiVersion: v1
data:
allow-snippet-annotations: "false"
use-forwarded-headers: "true"
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: ingress-nginx
meta.helm.sh/release-namespace: ingress-nginx
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.10.0
helm.sh/chart: ingress-nginx-4.10.0
name: ingress-nginx-controller
namespace: ingress-nginx |
Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): No
What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): force ssl redirect loop 308
Is this a BUG REPORT or FEATURE REQUEST? (choose one): Bug report
NGINX Ingress controller version: 0.10.0
Kubernetes version (use
kubectl version
): v1.8.5Environment:
uname -a
): 4.14.11-coreosWhat happened:
The
force-ssl-redirect
flag seems not to be working anymore.What you expected to happen:
This is what happened before I updated the nginx ingress controller (this is from version 0.9.0-beta.19):
This is what happens in 0.10.0:
The text was updated successfully, but these errors were encountered: