Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Kubernetes ingress-nginx - How can I disable listening on https if no TLS configured?

Tags:

nginx

kubernetes

google-kubernetes-engine

nginx-ingress

I'm using kubernetes ingress-nginx and this is my Ingress spec. http://example.com works fine as expected. But when I go to https://example.com it still works, but pointing to default-backend with Fake Ingress Controller certificate. How can I disable this behaviour? I want to disable listening on https at all on this particular ingress, since there is no TLS configured.

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: http-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: example.com
      http:
        paths:
          - backend:
              serviceName: my-deployment
              servicePort: 80

I've tried this nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation. However this has no effect.

like image 644
Shinebayar G Avatar asked May 25 '19 07:05

Shinebayar G

People also ask

How do I disable TLS in Kubernetes?

There is no default certificate for non-SNI-capable clients. If you don't want to use Kubernetes for TLS, set tls: false in kubernetes. config or set the $TS_TLS environment variable to "false" .

How do I disable ingress in Kubernetes?

This can be disabled globally using ssl-redirect: "false" in the NGINX config map, or per-Ingress with the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.

How do you stop nginx Kubernetes ingress?

Sometimes we need to disable the Kubernetes Ingress. For instance, by default the controller redirects (308) to HTTPS if TLS is enabled for that ingress. If we want to disable this behavior globally, we can use ssl-redirect: “false” in the NGINX.

2 Answers

I'm not aware of an ingress-nginx configmap value or ingress annotation to easily disable TLS.

You could remove port 443 from your ingress controllers service definition.

Remove the https entry from the spec.ports array 

apiVersion: v1
kind: Service
metadata:
  name: mingress-nginx-ingress-controller
spec:
  ports:
  - name: https
    nodePort: NNNNN
    port: 443
    protocol: TCP
    targetPort: https

nginx will still be listening on a TLS port, but no clients outside the cluster will be able to connect to it.

like image 186
Matt Avatar answered Sep 28 '22 10:09

Matt

Redirection is not involved in your problem.

ingress-controller is listening on both port, 80 and 443. When you configure an ingress with only 80 port, if you reach the 443 port you are redirected to the default backend, which is expected behaviour.

A solution is to add an other nginx-controller, that will only listen on 80 port. And then you can configure your ingresses with kubernetes.io/ingress.class: myingress. When creating the new nginx-controller, change the command --ingress-class=myingress of the daemonset. It will then handle only ingress annotated with this class.

If you use helm to deploy it, simply override the controller.ingressClass value.

like image 36
Alexandre Cartapanis Avatar answered Sep 28 '22 08:09

Alexandre Cartapanis
Sign in to Comment

Related questions

Django+gunicorn+nginx upload large file 502 error
neo4j webinterface behind nginx reverse proxy
How to stop nginx on my Amazon EC2 instance
extremely slow HHVM, Wordpress, Nginx
Root directory shows 404 in nginx
redirect all the requests to api server with nginx
how to configure dynamic Virtual host with dynamic SSL configuration in nginx?
How do HTTP/2 and CNAME work together?
Nginx proxy_ssl_certificate not working as expected
Microsoft Edge won't load local nginx website in Vagrant VM
Why use nginx as websocket proxy?
containerized nginx log rotation with logrotate
How to use Docker swarm DNS/Service names in Nginx upstream
How to bind Daphne on a unix socket?
Running multiple Dockerize projects at the same time using PHP, MySQL, nginx
Regex for Detecting Complex Attack Strings on Web Sites
Kubernetes Ingress running behind nginx reverse proxy
Difference between {R:1} and {C:1} on iis web.config file
Connect failed: php_network_getaddresses: getaddrinfo failed: System error
Nginx ingress controller vs HAProxy load balancer

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!