7

I'm using kubernetes ingress-nginx and this is my Ingress spec. http://example.com works fine as expected. But when I go to https://example.com it still works, but pointing to default-backend with Fake Ingress Controller certificate. How can I disable this behaviour? I want to disable listening on https at all on this particular ingress, since there is no TLS configured.

kind: Ingress
apiVersion: extensions/v1beta1
metadata:
  name: http-ingress
  annotations:
    kubernetes.io/ingress.class: "nginx"
spec:
  rules:
    - host: example.com
      http:
        paths:
          - backend:
              serviceName: my-deployment
              servicePort: 80

I've tried this nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation. However this has no effect.

Shinebayar G
  • 4,624
  • 4
  • 18
  • 29
  • 1
    Nginx server listen on both port, 80 and 443. If you want to disable port 443 you must configure nginx server, but in this case no ingress at all will be able to use HTTPS – Alexandre Cartapanis May 25 '19 at 08:23
  • this may be due to browser redirect cache. Try with "ssl-redirect: false" in browser incognito mode. – Vasili Angapov May 25 '19 at 08:26
  • @VasilyAngapov I've tested in incognito mode. I think `nginx.ingress.kubernetes.io/ssl-redirect: "false"` is not relevant here because doc says: `By default the controller redirects (308) to HTTPS if TLS is enabled for that ingress. If you want to disable this behavior globally, you can use ssl-redirect: "false" in the NGINX ConfigMap. To configure this feature for specific ingress resources, you can use the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.` – Shinebayar G May 25 '19 at 09:11
  • @AlexandreCartapanis hmm, so it's not possible to disable https on particular hostname when nginx listening on both 80, 443? – Shinebayar G May 25 '19 at 09:13
  • 1
    I don't see why you are talking about redirection. You say that when you go to "http://" you reach your service, and you go to "httpS://" you reach the default backend. So redirection have nothing to do with this. Nginx server knows for your service when url is "http" and don't know it when url is "httpS". And when nginx don't know about a service for a given url, it sends it to the default backend. This is a totally normal behaviour. Here the point is that the ingress controller is listening on 443. So IT IS reachable, even if there is no ingress configured for https port. – Alexandre Cartapanis May 25 '19 at 09:18
  • To disable nginx listening on https, you must configure the nginx controller but this will disable https for ALL ingress. See Matt answer. – Alexandre Cartapanis May 25 '19 at 09:22
  • 1
    If this is really something you want, you can configure two different nginx-controller, one with http and https, and one with only http. Then you can choose the ingress controller to be used using the `kubernetes.io/ingress.class` annotation. – Alexandre Cartapanis May 25 '19 at 09:24
  • @AlexandreCartapanis that's correct. Yeah I've understood that redirect is not relevant here. So I cannot really stop nginx listening on particular hostnames unless I disable whole 443 port right? Edit: Thanks for great explanation. If you write this as an answer I'd accept it. – Shinebayar G May 25 '19 at 09:31

2 Answers2

8

I'm not aware of an ingress-nginx configmap value or ingress annotation to easily disable TLS.

You could remove port 443 from your ingress controllers service definition.

Remove the https entry from the spec.ports array 

apiVersion: v1
kind: Service
metadata:
  name: mingress-nginx-ingress-controller
spec:
  ports:
  - name: https
    nodePort: NNNNN
    port: 443
    protocol: TCP
    targetPort: https

nginx will still be listening on a TLS port, but no clients outside the cluster will be able to connect to it.

Matt
  • 68,711
  • 7
  • 155
  • 158
2

Redirection is not involved in your problem.

ingress-controller is listening on both port, 80 and 443. When you configure an ingress with only 80 port, if you reach the 443 port you are redirected to the default backend, which is expected behaviour.

A solution is to add an other nginx-controller, that will only listen on 80 port. And then you can configure your ingresses with kubernetes.io/ingress.class: myingress. When creating the new nginx-controller, change the command --ingress-class=myingress of the daemonset. It will then handle only ingress annotated with this class.

If you use helm to deploy it, simply override the controller.ingressClass value.

Alexandre Cartapanis
  • 1,513
  • 3
  • 15
  • 19