Reputation: 71
Ingress and SSL Passthrough
I have recently been using the nginxdemo/nginx-ingress controller.
As I understand it this controller cannot do SSL Passthrough (by that I mean pass the client certificate all the way through to the backend service for authentication), so instead I have been passing the clients subject DN through a header.
Ultimately I would prefer SSL-Passthrough and have been looking at the kubernetes/ingress-nginx project which apparently supports SSL passthrough.
Does anyone have an experience with this controller and SSL Passthrough.
The few Ingress examples showing passthrough that I have found leave the path setting blank.
Is this because passthrough has to take place at the TCP level (4) rather then at HTTP (7)?
Right now, I have a single host rule that services mutiple paths.
Upvotes: 6
Views: 11631
Answers (3)
Reputation: 13
Try adding the following annotation (possibly on top of the others suggested here)
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
Upvotes: 1
Reputation: 645
completing on lch answer I would like to add that I had the same problem recently and I sorted it out modifiying the ingress-service deployment (I know, it should be a DaemonSet but that's a different story)
The change was adding the parameter to spec.containers.args:
--enable-ssl-passthrough
Then I've added the following annotations to my ingress:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
The important one are secure-backends and ssl-passthrough but I think the rest are a good idea, provided you're not expecting http traffic there
Upvotes: 4
Reputation: 1378
SSH-Passthrough is working fine for me. Here is the Official Documentation
And here is an example usage:
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-service-ingress
namespace: my-service
annotations:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/secure-backends: "true"
spec:
rules:
- host: my.example.com
http:
paths:
- backend:
serviceName: my-service
Upvotes: 1
Related Questions
- Kubernetes routing HTTPS traffic to external HTTP services
- Kubernetes ingress tls
- Kubernetes: communicate internal services using HTTPS
- Is the ssl-passthrough configured at the host level, kubernets ingress
- How to use SSL requests from Kubernetes ingress to pods
- Kubernetes internal nginx ingress controller with SSL termination & ssl-passthrough
- Configuring end to end SSL using Nginx Ingress controller
- Kubernetes Nginx Ingress to pod communication over https
- SSL passthrough not being configured for ingress-nginx backend
- Kubernetes-Ingress: How do I properly route to two services with HTTPS?