How to run a https secured app in kubernetes cluster

Question

I want to run my app inside kubernetes cluster on https and expose it outside the cluster also over https. I created the pod and exposed the port 443. After that I created a ClusterIP service which connects to the pod on port 443 and expose also port 443. Lastly, I created an ingress which connects to the service on port 443. I deployed all of these resources using helm chart on GKE. I use NGINX Ingress controller. You can find the chart here.

When I access the app internally in the cluster over https it works.

curl https://my-nginx.https-app-64-production --cacert /etc/nginx/ssl/tls.crt
<!DOCTYPE html>
<html>
<head>
<title>Welcome to nginx!</title>
<style>
    body {
        width: 35em;
        margin: 0 auto;
        font-family: Tahoma, Verdana, Arial, sans-serif;
    }
</style>
</head>
<body>
<h1>Welcome to nginx!</h1>
<p>If you see this page, the nginx web server is successfully installed and
working. Further configuration is required.</p>

<p>For online documentation and support please refer to
<a href="http://nginx.org/">nginx.org</a>.<br/>
Commercial support is available at
<a href="http://nginx.com/">nginx.com</a>.</p>

<p><em>Thank you for using nginx.</em></p>
</body>
</html>

But when I access it using external url then I get below error.

curl https://staging.vs-creator.iotcrawler.eu/
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.9.1</center>
</body>
</html>

I am not able to figure out what is going wrong. I suspect it is to do with ingress controller configuration. Please help me on this.

Answer 1

Use below annotation in ingress resourece

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

From the docs

Using backend-protocol annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces secure-backends in older versions) Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP and FCGI

By default NGINX uses HTTP while forwarding the request to backend pod which leads to 400 The plain HTTP request was sent to HTTPS port because the backend pod is expecting HTTPS request.