Setup HTTP to HTTPS redirect in nginx-config.yaml ( Terminating SSL in AWS ELB + NGINX Ingress for routing)

0
votes

I would like to redirect the HTTP calls -> HTTPS but I can't get it to work. I have searched and tried different solutions here on StackOverflow and some other blogs without making the redirection to work. Currently Both HTTP and HTTPS returns value. Commented out in to code below you can see one of the solutions have tried: changing the HTTP targetPort to 8080 and setup in nginx-config.yaml to listen to 8080 and return 301 https://$host$request_uri;

Nginx image: nginx/nginx-ingress:1.7.0. Installation with manifests (https://docs.nginx.com/nginx-ingress-controller/installation/installation-with-manifests/)

Deployment

apiVersion: apps/v1
kind: Deployment
metadata:
  name: nginx-ingress
  namespace: nginx-ingress
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nginx-ingress
  template:
    metadata:
      labels:
        app: nginx-ingress
      # annotations:
        #prometheus.io/scrape: "true"
        #prometheus.io/port: "9113"
    spec:
      serviceAccountName: nginx-ingress
      containers:
      - image: nginx/nginx-ingress:1.7.0
        name: nginx-ingress
        ports:
        - name: http
          containerPort: 80
        - name: https
          containerPort: 443
       #- name: prometheus
         #containerPort: 9113
        securityContext:
          allowPrivilegeEscalation: true
          runAsUser: 101 #nginx
          capabilities:
            drop:
            - ALL
            add:
            - NET_BIND_SERVICE
        env:
        - name: POD_NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        - name: POD_NAME
          valueFrom:
            fieldRef:
              fieldPath: metadata.name
        args:
          - -nginx-configmaps=$(POD_NAMESPACE)/nginx-config
          - -default-server-tls-secret=$(POD_NAMESPACE)/default-server-secret
         #- -v=3 # Enables extensive logging. Useful for troubleshooting.
         #- -report-ingress-status
         #- -external-service=nginx-ingress
         #- -enable-leader-election
         #- -enable-prometheus-metrics
         #- -global-configuration=$(POD_NAMESPACE)/nginx-configuration

Service

apiVersion: v1
kind: Service
metadata:
  name: nginx-ingress
  namespace: nginx-ingress
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:xxxxxxxxxxxxxxxxx"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
spec:
  type: LoadBalancer
  ports:
  - port: 80
    targetPort: 80
    # targetPort: 8080
    protocol: TCP
    name: http
  - port: 443
    targetPort: 80
    protocol: TCP
    name: https
  selector:
    app: nginx-ingress

ConfigMap

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
  namespace: nginx-ingress
data:
  proxy-protocol: "True"
  real-ip-header: "proxy_protocol"
  set-real-ip-from: "0.0.0.0/0"


# kind: ConfigMap
# apiVersion: v1
# metadata:
#   name: nginx-config
#   namespace: nginx-ingress
# data:
#   proxy-protocol: "True"
#   real-ip-header: "proxy_protocol"
#   set-real-ip-from: "0.0.0.0/0"
#   force-ssl-redirect: "false"
#   use-forwarded-headers: "true"
#   http-snippet: |
#     server {
#       listen 8080 proxy_protocol;
#       server_tokens off;
#       return 301 https://$host$request_uri;
#     }
1
nginxkuberneteshttps
As @hoque mentioned, did you create any ingress? Could you add it to your answer? Take a look at ssl example at this github example.Jakub

1 Answers

0
votes

Add following annotation on your ingress to sets an unconditional 301 redirect rule for all incoming HTTP traffic to force incoming traffic over HTTPS.

ingress.kubernetes.io/ssl-redirect: "true"