Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

HTTP -> HTTPS on ELB failing #6456

Closed
kristof-mattei opened this issue Nov 10, 2020 · 5 comments
Closed

HTTP -> HTTPS on ELB failing #6456

kristof-mattei opened this issue Nov 10, 2020 · 5 comments
Labels
kind/support Categorizes issue or PR as a support question.

Comments

@kristof-mattei
Copy link

kristof-mattei commented Nov 10, 2020
edited
Loading

For the last week I've been working on trying to get HTTP -> HTTPS redirection to work with ELB and TLS termination.

I found countless of documents and tried all of the different settings, but either I get a 504 GATEWAY timeout, where stuff is broken, or a TOO MANY REDIRECTS.

My template for this change is:

#2724 (comment)

My setup looks as follows:

controller:
  config:
    proxy-buffer-size: 16k
    use-forwarded-headers: "true"
    hsts: "true"

  service:
    enabled: true

    annotations:
      service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: "60"
      service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
      service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: ...
      service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: ...
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
      service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "true"
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ...
      service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-2017-01
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"

    ports:
      http: 80
      https: 443

    targetPorts:
      http: http
      https: http

Adding nginx.ingress.kubernetes.io/force-ssl-redirect: "true" to an ingress or not doesn't change what gets emitted in the /etc/nginx/nginx.conf.

Irrespective of that last annotation the following gets generated:

				lua_ingress.rewrite({
					force_ssl_redirect = true,
					ssl_redirect = true,
					force_no_ssl_redirect = false,
					use_port_in_redirects = false,
				})

I also tried enabling the PROXY protocol instead of the forwarded headers, and then adding the force-ssl-redirect setting, but that results in an endless redirect.

While I could try and do the port-hack, I wonder what it is that I am missing here to get the same result?
@kristof-mattei kristof-mattei added the kind/support Categorizes issue or PR as a support question. label Nov 10, 2020
@k8s-ci-robot
Copy link
Contributor

@kristof-mattei: The label(s) triage/support cannot be applied, because the repository doesn't have them

In response to this:

For the last week I've been working on trying to get HTTP -> HTTPS redirection to work with ELB and TLS termination.

I found countless of documents and tried all of the different settings, but either I get a 504 GATEWAY timeout, where stuff is broken, or a TOO MANY REDIRECTS.

My template for this change is:

#2724 (comment)

My setup looks as follows:

controller:
 config:
   proxy-buffer-size: 16k
   use-forwarded-headers: "true"
   hsts: "true"

 service:
   enabled: true

   annotations:
     service.beta.kubernetes.io/aws-load-balancer-access-log-emit-interval: "60"
     service.beta.kubernetes.io/aws-load-balancer-access-log-enabled: "true"
     service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-name: ...
     service.beta.kubernetes.io/aws-load-balancer-access-log-s3-bucket-prefix: ...
     service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "3600"
     service.beta.kubernetes.io/aws-load-balancer-connection-draining-enabled: "true"
     service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
     service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
     service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ...
     service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: ELBSecurityPolicy-TLS-1-2-2017-01
     service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"

   ports:
     http: 80
     https: 443

   targetPorts:
     http: http
     https: http

Adding nginx.ingress.kubernetes.io/force-ssl-redirect: "true" to an ingress or not doesn't change what gets emitted in the /etc/nginx/nginx.conf.

Irrespective of that last annotation the following gets generated:

  			lua_ingress.rewrite({
  				force_ssl_redirect = true,
  				ssl_redirect = true,
  				force_no_ssl_redirect = false,
  				use_port_in_redirects = false,
  			})

I also tried enabling the PROXY protocol instead of the forwarded headers, and then adding the force-ssl-redirect setting, but that results in an endless redirect.

While I could try and do the port-hack, I wonder what it is that I am missing here to get the same result?

/triage support

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@aledbf
Copy link
Member

aledbf commented Nov 10, 2020

Closing. Please check the static manifests
https://github.com/kubernetes/ingress-nginx/blob/master/deploy/static/provider/aws/deploy-tls-termination.yaml#L278-L313
https://github.com/kubernetes/ingress-nginx/blob/master/deploy/static/provider/aws/deploy-tls-termination.yaml#L301-L309

or the script that uses the helm chart to generate such files

https://github.com/kubernetes/ingress-nginx/blob/master/hack/generate-deploy-scripts.sh#L84-L120

The important part here is the http-snippet that generated the redirect server block.

@aledbf aledbf closed this as completed Nov 10, 2020
@aledbf
Copy link
Member

aledbf commented Nov 10, 2020

Please use the #ingress-nginx Kubernetes Slack channel to ask questions like this one. Thanks!

@abdennour
Copy link

actually, it's embarrassing when customers see "http://".
No way to get it fix since 3 years... since it was stable/nginx-ingress chart.

These are my values :

controller:
  config:
    proxy-body-size: 20m
    proxy-connect-timeout: "3000"
    proxy-read-timeout: "6000"
    proxy-send-timeout: "6000"
  priorityClassName: high-priority
  metrics:
    enabled: true
    serviceMonitor:
      additionalLabels:
        release: prom
      enabled: true
      namespace: monitoring
  service:
    targetPorts:
      http: http
      https: http
    annotations:
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:ap-southeast-1:012345678901:certificate/0db6d51f-cbf7-452c-a726-7456eab08894
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '3600'

really, it's embarrassing

@stealthHat
Copy link

I tried to install the ingress nginx helm chart with the values that @aledbf link, but its not working with https

im using EKS 1.9 and ingress nginx chart 0.44.0 and AWS certificate

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/support Categorizes issue or PR as a support question.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
5 participants
@aledbf @kristof-mattei @abdennour @k8s-ci-robot @stealthHat