How to redirect HTTP to HTTPS with Nginx Ingress Controller, AWS NLB and TLS certificate managed by AWS Certificate Manager?

Asked 22/11, 2019 at 15:19 Answered 15/5, 2023 at 20:22

Solved amazon-web-services nginx kubernetes nginx-ingress nlb

I've tried the following to get HTTP to redirect to HTTPS. I'm not sure where I'm going wrong.

ingress-nginx object:

apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-type: nlb
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:...
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
spec:
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: https
      port: 443
      targetPort: http

my-ingress object:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-ingress
  namespace: my-namespace
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/rewrite-target: /
    nginx.ingress.kubernetes.io/secure-backends: "true"
spec:
  tls:
   - hosts:
     - app.example.com
  rules:
  - host: app.example.com
    http:
      paths:
      - path: /
        backend:
          serviceName: my-service
          servicePort: 80

I get a 308 Permanent Redirect on HTTP and HTTPS. I guess this makes sense as the NLB is performing the SSL termination and therefore forwarding HTTP to the Nginx service? I guess I would need to move the SSL termination from the NLB to the Nginx service?

Thanks

Arboriculture answered 22/11, 2019 at 15:19 Comment(3)

for each service you create NLB ? as service type if loadbalancer ? suppose you have 10 frontend exposed application you will create 10 NLB ? – Hellgrammite 19/2, 2020 at 8:37

Try this https://mcmap.net/q/1019196/-tls-doesn-39-t-work-with-loadbalancer-backed-service-in-kubernetes for SSL termination. – Algor 26/5, 2020 at 20:13

Had the same issue with SSL termination at NLB and could solve it using only nginx.ingress.kubernetes.io/ssl-redirect: "true". Erase force-ssl-redirect. – Navicert 13/10, 2021 at 18:32

I believe you do need to move the SSL termination to the ingress controller because I am having the same issue and I appear to be in a permanent redirect situation. The traffic comes into the NLB on 443 and is terminated and sends to the backend instances over port 80. The ingress sees the traffic on port 80 and redirects to https:// and thus begins the infinite loop.

Ratify answered 5/12, 2019 at 21:9 Comment(4)

Hi I am facing same issue, could you eloborate when you said move SSL termination to ingress controller.How to do that? – Brady 25/12, 2019 at 13:37

Is this supported now? [aws.amazon.com/blogs/opensource/… It says SSL termination will need to happen at the backend, since SSL termination on NLB for Kubernetes is not yet available. – Heliotherapy 20/2, 2020 at 9:26

ssl termination is do work over k8s using ingress and nlb – Algor 26/5, 2020 at 19:51

you can try this answer https://mcmap.net/q/1019196/-tls-doesn-39-t-work-with-loadbalancer-backed-service-in-kubernetes – Algor 26/5, 2020 at 20:8

TL;DR;
There is no need to move SSL termination to nginx-ingress controller. You can still configure it to handle redirects. IF using HELM installation of Nginx Ingress add the following configuration to values:

controller:
  service:
    targetPorts:
      http: tohttps
      https: http

Longer version:
There seems to be a difference of how nginx-ingress is installed and why some people face the issues like "SSL termination on NLB and getting 400 on Nginx" and this one with redirects.

Nginx repository suggests a couple of ways for deployment:

static deployment for AWS - LINK
static deployment for AWS with TLS handling on NLB - LINK
helm chart - LINK

The AWS with TLS is the one that by default should solve the mentioned issues. It has a different configuration for the Service object in terms of ports to handle offloaded https traffic:

  ports:
  - appProtocol: http
    name: http
    port: 80
    protocol: TCP
    targetPort: tohttps
  - appProtocol: https
    name: https
    port: 443
    protocol: TCP
    targetPort: http

and has an additional configuration for handling https redirects.

  http-snippet: |
server {
  listen 2443;
  return 308 https://$host$request_uri;
}

Generic deployment for AWS doesn't have the needed objects, so you need to tune the Service and Nginx config manually.

Fredette answered 15/5, 2023 at 20:22 Comment(0)

Recommended topics

Hot tags