5

I have recently been using the nginxdemo/nginx-ingress controller.

As I understand it this controller cannot do SSL Passthrough (by that I mean pass the client certificate all the way through to the backend service for authentication), so instead I have been passing the clients subject DN through a header.

Ultimately I would prefer SSL-Passthrough and have been looking at the kubernetes/ingress-nginx project which apparently supports SSL passthrough.

Does anyone have an experience with this controller and SSL Passthrough.

The few Ingress examples showing passthrough that I have found leave the path setting blank.

Is this because passthrough has to take place at the TCP level (4) rather then at HTTP (7)?

Right now, I have a single host rule that services mutiple paths.

Sébastien
  • 11,860
  • 11
  • 58
  • 78
user2581751
  • 61
  • 1
  • 2

3 Answers3

2

completing on lch answer I would like to add that I had the same problem recently and I sorted it out modifiying the ingress-service deployment (I know, it should be a DaemonSet but that's a different story)

The change was adding the parameter to spec.containers.args:

  --enable-ssl-passthrough

Then I've added the following annotations to my ingress:

kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/secure-backends: "true"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"

The important one are secure-backends and ssl-passthrough but I think the rest are a good idea, provided you're not expecting http traffic there

Javier PR
  • 615
  • 6
  • 13
1

SSH-Passthrough is working fine for me. Here is the Official Documentation

And here is an example usage:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-service-ingress
  namespace: my-service
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/ssl-passthrough: "true"
    nginx.ingress.kubernetes.io/secure-backends: "true"
spec:
  rules:
    - host: my.example.com
      http:
        paths:
          - backend:
              serviceName: my-service
Ich
  • 1,350
  • 16
  • 27
  • have you had any luck with using session affinity with cookies for the SSL Passthrough at all? – Matt Woodward Mar 07 '19 at 23:05
  • Session affinity based on cookies is not possible since nginx cannot look into the encrypted SSL traffic. You can only have IP-based session affinity (although I'm not sure how to configure that) – Ich Mar 22 '19 at 11:41
0

Try adding the following annotation (possibly on top of the others suggested here)

nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
David Louda
  • 3
  • 1