2

I have a service providing an API that I want to only be accessible over https. I don't want http to redirect to https because that will expose credentials and the caller won't notice. Better to get an error response.

How to do I configure my ingress.yaml? Note that I want to maintain the default 308 redirect from http to https for other services in the same cluster.

Thanks.

Wytrzymały Wiktor
  • 11,492
  • 5
  • 29
  • 37
David Tinker
  • 9,383
  • 9
  • 66
  • 98
  • Which version of Kubernetes did you use and how did you set up the cluster? Did you use bare metal installation or some cloud providor? Did you try to use any [annotations](https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/annotations/)? If yes, which ones? Do you want to block http completely or force https? – kkopczak Sep 27 '21 at 14:56
  • It is bare metal v1.21.0 installed with kubeadm. I couldn't find any annotations to disable http or a way to do it with a nginx config snippet. I want http to return a 400 or 403. We are using `nginx.ingress.kubernetes.io/force-ssl-redirect: "true"` to force https for other services. – David Tinker Sep 27 '21 at 18:12

1 Answers1

2

In the documentation: you can read the following sentence about HTTPS enforcement through redirect:

By default the controller redirects (308) to HTTPS if TLS is enabled for that ingress. If you want to disable this behavior globally, you can use ssl-redirect: "false" in the NGINX ConfigMap.

To configure this feature for specific ingress resources, you can use the nginx.ingress.kubernetes.io/ssl-redirect: "false" annotation in the particular resource.

You can also create two separate configurations: one with http and https and the other one only for http.

Using kubernetes.io/ingress.class annotation you can choose the ingress controller to be used.

This mechanism also provides users the ability to run multiple NGINX ingress controllers (e.g. one which serves public traffic, one which serves "internal" traffic).

See also this and this similar questions.

kkopczak
  • 742
  • 2
  • 8
  • 1
    Ok so the bottom line is it can't be done without having multiple nginx ingress controllers and a separate ingress. Thats a pain. – David Tinker Oct 11 '21 at 05:51