Reverse proxy a site with SNI support using kubernetes nginx-ingress

Asked 2/10, 2019 at 16:20 Answered 8/12, 2023 at 12:26

I am setting a reverse proxy using kubernetes nginx-ingress, but I don't know how to add nginx parameters to the configuration, specifically: proxy_ssl_server_name. How do I set ingress parameters in yaml configurations?

I already tried using the server-snippet annotation, but it seems like it's not adding the parameter to the nginx.conf file in the cluster pods.

Here is the current code for the reverse proxy:

kind: Service
apiVersion: v1
metadata:
  name: formstack
  namespace: serves
spec:
  type: ExternalName
  externalName: fluidsignal.formstack.com
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: formstack
  namespace: serves
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/upstream-vhost: "fluidsignal.formstack.com"
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
  tls:
  - hosts:
    - fluidattacks.com
    secretName: fluidattacks-cert
  rules:
  - host: fluidattacks.com
    http:
      paths:
      - backend:
          serviceName: formstack
          servicePort: 443
        path: /forms(.*)

After setting up the proxy, I get a 502 Bad Gateway error from Nginx. After looking at the pods logs, I see I'm getting the following openssl error: SSL: error:14094410:SSL routines:ssl3_read_bytes:sslv3 alert handshake failure:SSL alert number 40, which is why I want to add the parameter I mentioned before.

Gustave answered 2/10, 2019 at 16:20 Comment(0)

I just figured out that I was indeed using the right annotation: nginx.ingress.kubernetes.io/server-snippet,

But I needed to add an extra parameter: proxy_ssl_name

Adding the following code fixed the problem:

nginx.ingress.kubernetes.io/server-snippet: |
  proxy_ssl_name fluidsignal.formstack.com;
  proxy_ssl_server_name on;

Everything seems to be working fine now :D

Gustave answered 2/10, 2019 at 20:8 Comment(2)

Thanks a lot for this solution – Hegemony 12/1, 2022 at 15:52

Even though these directives appear to be supported by annotations (kubernetes.github.io/ingress-nginx/user-guide/…), the snippet is required to use them in this situation. github.com/kubernetes/ingress-nginx/issues/6728 should fix the annotations. – Febrifacient 24/8, 2022 at 7:2

The first answer is almost right but instead of server-snippet the configuration-snippet should be used.

The first one (server-snippet) will add configuration on the entire server level (the whole ingress server) and the last one (configuration-snippet) will be applied inside the nginx location that current ingress object is related to

nginx.ingress.kubernetes.io/server-snippet: |
  proxy_ssl_name fluidsignal.formstack.com;
  proxy_ssl_server_name on;

Dissentious answered 8/12, 2023 at 12:26 Comment(0)

Recommended topics

Hot tags