Is it safe to have an internal ClusterIp backend service using HTTP behind an Ngynx Ingress controller accessible via HTTPS?

Question

I have a Service configured to be accessible via HTTP.

kind: Service
apiVersion: v1
metadata:
  name: myservice
spec:
  ports:
    - name: http
      protocol: TCP
      port: 80
      targetPort: 8080
  type: ClusterIP

And an Ngynx Ingress configured to make that internal service accessible from a specific secure subdomain.domain

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: myservice-ingress
  selfLink: /apis/extensions/v1beta1/namespaces/default/ingresses/myservice-ingress
  annotations:
    certmanager.k8s.io/issuer: letsencrypt-prod
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: HTTP
spec:
  tls:
    - hosts:
        - myservice.mydomain.com
      secretName: myservice-ingress-secret-tls
  rules:
    - host: myservice.mydomain.com
      http:
        paths:
          - path: /
            backend:
              serviceName: myservice
              servicePort: 80
status:
  loadBalancer:
    ingress:
      - {}

So when I reach https://myservice.mydomain.com I can access to my service through HTTPS. Is it safe enough or should I configure my service and pods to communicate only through HTTPS?

Answer 1

It's expected behaviour since you've set TLS in your Ingress.

Note that by default the controller redirects (308) to HTTPS if TLS is enabled for that ingress. If you want to disable this behavior globally, you can use ssl-redirect: "false" in the NGINX ConfigMap.

To configure this feature for specific ingress resources, you can use the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.

About your question: "Is it safe enough.." - it's opinion based question, so I can answer to use better HTTPS, rather than HTTP, but it's just my opinion. You can always find the difference between HTTP and HTTPS