nginx: HTTP->HTTPS redirect does not work

[neelance]

https://github.com/kubernetes/ingress/tree/master/controllers/nginx#server-side-https-enforcement says that the HTTP->HTTPS redirect should be enabled by default if a TLS config is given for the Ingress.

For some reason that does not work for me. I am out of ideas why this might be the case. Any suggestions?

[neelance]

To be precise: The backend is served via both HTTP and HTTPS.

[od0]

Having the same issue. Using kube-lego for certs. kubernetes.io/ingress.allow-http: "false" and ingress.kubernetes.io/ssl-redirect: "true" seem to have no effect.

[od0]

It looks like there is also a check for server.SSLCertificate - would it work to create dummy cert to enable the redirects?

[aledbf]

@neelance this is fixed in master. We will release a new beta on the weekend

[aledbf]

@od0 kubernetes.io/ingress.allow-http is an annotation for the GCE ingress controller, not the nginx ingress controller

[od0]

@aledbf thanks, didn't mean to confuse this issue :) should I open a separate one for ingress.kubernetes.io/ssl-redirect: "true" not appearing to work?

[aledbf]

@od0 please wait the next release

[od0]

@aledbf sounds good thank you

[DanHoerst]

Also having this same issue with ingress.kubernetes.io/ssl-redirect: "true" not working. Was there a beta release this weekend that we can try?

[aledbf]

@DanHoerst waiting bprashanth to publish #303

[aledbf]

Please reopen if you still have issues.
Fix included in next release #303

[lucklove]

@aledbf Sorry but this issue comes again with beta.3, so I rollback to beta.2 and it works well, maybe this issue should be reopen.

[wstrange]

I believe I am also seeing this issue with beta.3 - (although, it is possibly a config error on my part).

I have an ingress like so:

  tls:
  - secretName: tls-secret
  rules:
  - host: foo.example.com
    http:
      paths:
      - path: /
        backend:
        .....

The nginx.conf file has a server entry for foo.example.com, but listening on port 80, not on 443.

If I make an ssl request I get just the default backend response - it does not match against my tls service.

I also tried this variant of the ingress:

 tls:
  - hosts:
    - foo.example.com
    secretName: tls-secret
  rules:
  - host:  foo.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: {{ template "fullname" . }}
          servicePort: {{ .Values.service.externalPort }}

Same result

[wstrange]

Relevant: https://groups.google.com/forum/#!topic/kubernetes-users/QbxYX5jR7qg

I also tried this on beta.2 - but got the same behavior.

The nginx.conf file that is written clearly does not have a listener on 443 for the host named in the ingress.

@aledbf Can we get this issue reopened, or if it is not a bug some troubleshooting hints on how to track this down?

[aledbf]

@wstrange please post the ingress rule to reproduce the issue

[wstrange]

Here is an example:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: openig-ingress
  annotations:
     ingress.kubernetes.io/ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - openig.default.example.com
    secretName: tls-secret
  rules:
  - host: openig.default.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: openig-openig
          servicePort: 80

This is on minikube, using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.3

[aledbf]

@wstrange please use the image quay.io/aledbf/nginx-ingress-controller:0.89

aledbf@me:~/go/src/k8s.io/ingress$ kubectl exec -it -n kube-system nginx-ingress-controller-3199894280-z42tq -- curl -v -H "Host: openig.default.example.com" localhost:80
* Rebuilt URL to: localhost:80/
*   Trying ::1...
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: openig.default.example.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 301 Moved Permanently
< Server: nginx/1.11.12
< Date: Sun, 16 Apr 2017 18:31:24 GMT
< Content-Type: text/html
< Content-Length: 186
< Connection: keep-alive
< Location: https://openig.default.example.com/
< Strict-Transport-Security: max-age=15724800; includeSubDomains; 
< 
<html>
<head><title>301 Moved Permanently</title></head>
<body bgcolor="white">
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.11.12</center>
</body>
</html>
* Connection #0 to host localhost left intact
aledbf@me:~/go/src/k8s.io/ingress$ !2032
kubectl exec -it -n kube-system nginx-ingress-controller-3199894280-z42tq -- curl -v -H "Host: openig.default.example.com" https://localhost:443 -k
* Rebuilt URL to: https://localhost:443/
*   Trying ::1...
* Connected to localhost (::1) port 443 (#0)
* found 173 certificates in /etc/ssl/certs/ca-certificates.crt
* found 692 certificates in /etc/ssl/certs
* ALPN, offering http/1.1
* SSL connection using TLS1.2 / ECDHE_RSA_AES_128_GCM_SHA256
* 	 server certificate verification SKIPPED
* 	 server certificate status verification SKIPPED
* 	 common name: Kubernetes Ingress Controller Fake Certificate (does not match 'localhost')
* 	 server certificate expiration date OK
* 	 server certificate activation date OK
* 	 certificate public key: RSA
* 	 certificate version: #3
* 	 subject: O=Acme Co,CN=Kubernetes Ingress Controller Fake Certificate
* 	 start date: Sun, 16 Apr 2017 18:19:35 GMT
* 	 expire date: Mon, 16 Apr 2018 18:19:35 GMT
* 	 issuer: O=Acme Co,CN=Kubernetes Ingress Controller Fake Certificate
* 	 compression: NULL
* ALPN, server accepted to use http/1.1
> GET / HTTP/1.1
> Host: openig.default.example.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.11.12
< Date: Sun, 16 Apr 2017 18:31:29 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains; 
< 
CLIENT VALUES:
client_address=172.17.0.6
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://openig.default.example.com:8080/

SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001

HEADERS RECEIVED:
accept=*/*
connection=close
host=openig.default.example.com
user-agent=curl/7.47.0
x-forwarded-for=::1
x-forwarded-host=openig.default.example.com
x-forwarded-port=443
x-forwarded-proto=https
x-original-uri=/
x-real-ip=::1
x-scheme=https
BODY:
* Connection #0 to host localhost left intact
-no body in request-

changing the annotation to false ingress.kubernetes.io/ssl-redirect: "false"

aledbf@me:~/go/src/k8s.io/ingress$ kubectl exec -it -n kube-system nginx-ingress-controller-3199894280-z42tq -- curl -v -H "Host: openig.default.example.com" localhost:80
* Rebuilt URL to: localhost:80/
*   Trying ::1...
* Connected to localhost (::1) port 80 (#0)
> GET / HTTP/1.1
> Host: openig.default.example.com
> User-Agent: curl/7.47.0
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: nginx/1.11.12
< Date: Sun, 16 Apr 2017 18:33:11 GMT
< Content-Type: text/plain
< Transfer-Encoding: chunked
< Connection: keep-alive
< Strict-Transport-Security: max-age=15724800; includeSubDomains; 
< 
CLIENT VALUES:
client_address=172.17.0.6
command=GET
real path=/
query=nil
request_version=1.1
request_uri=http://openig.default.example.com:8080/

SERVER VALUES:
server_version=nginx: 1.10.0 - lua: 10001

HEADERS RECEIVED:
accept=*/*
connection=close
host=openig.default.example.com
user-agent=curl/7.47.0
x-forwarded-for=::1
x-forwarded-host=openig.default.example.com
x-forwarded-port=80
x-forwarded-proto=http
x-original-uri=/
x-real-ip=::1
x-scheme=http
BODY:
* Connection #0 to host localhost left intact
-no body in request-a

[wstrange]

@aledbf That image worked!

Thanks

[aledbf]

@wstrange can we close this issue then?

[gabarmas]

Had the same issue and that image worked for me as well, thanks!
I assume the fix will be included in the next 0.9 release (beta4?).

[wstrange]

@aledbf I'm OK with closing

[aledbf]

I assume the fix will be included in the next 0.9 release (beta4?).

yes

[lvicentesanchez]

I having this same issue on beta6

[lvicentesanchez]

Never mind... I have the same issue even if I switch containers so... it has to be something related to my config.

[tuannvm]

ingress.kubernetes.io/force-ssl-redirect: "true" works for me.

[1ambda]

ingress.kubernetes.io/force-ssl-redirect: "true" works for me too.

• cluster version: 1.7.4
• nginx ingress controller: 0.9.0-beta.15 installed via helm chart

[macropin]

If you're wondering why this broke again after 0.9.0-beta.18, then you'll need to update your annotations to nginx.ingress.kubernetes.io/force-ssl-redirect: "true".

Also note that the redirect changed from a 301 to a 308 permanent redirect!

[artem-kosenko]

nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

redirect works but the website does not work at all.

ingress.kubernetes.io/ssl-redirect: "true"

and\or

ingress.kubernetes.io/force-ssl-redirect: "true"

has no affect until adding the block with tls:

spec:
  tls:
  - hosts:
    - openig.default.example.com
    secretName: tls-secret

but with this block again the website does down

and I've already assign the SSL cert with

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:...