1

I have config my ingress support SSL:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "service"
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: "x.x.x.x/xx"
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
spec:
  tls:
  - hosts:
    - "example.com"
    secretName: example.name
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: service
          servicePort: 80

In my config above, only IP in whitelist can access the domain for both HTTP & HTTPS. But I would like to config all IP addresses can access https://example.com (HTTPS) and some IP addresses in whitelist can access without SSL - http://example.com.

helmbert
  • 35,797
  • 13
  • 82
  • 95
Huy Chau
  • 2,178
  • 19
  • 26

3 Answers3

1

I have resolved my issue by add more config to nginx location (listen both http and https) by use nginx.ingress.kubernetes.io/configuration-snippet annotation.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: "service"
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    # The configs to allow all IPs access via https and allow some IPs in
    # security whitelist access via http
    nginx.ingress.kubernetes.io/configuration-snippet: |

      if ($https) {
        set $allow_ip true;
      }

      if ($remote_addr ~ (x.x.x.x|y.y.y.y) {
        set $allow_ip true;
      }

      if ($allow_ip != true) {
        return 403;
      }
spec:
  tls:
  - hosts:
    - "example.com"
    secretName: example.name
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: service
          servicePort: 80
Huy Chau
  • 2,178
  • 19
  • 26
0

The whitelist-source-range annotation will always affect the entire Ingress resource. However, you might (untested!) try using two separate Ingress resources: one for HTTP access (with a source whitelist and without a tls configuration) and one for HTTPS (with plain HTTP disabled using the kubernetes.io/ingress.allow-http annotation):

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: service-https
  annotations:
    nginx.ingress.kubernetes.io/ssl-redirect: "false"
    kubernetes.io/ingress.allow-http: "false"
spec:
  tls:
  - hosts:
    - "example.com"
    secretName: example.name
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: service
          servicePort: 80
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: service-http
  annotations:
    nginx.ingress.kubernetes.io/whitelist-source-range: "x.x.x.x/xx"
spec:
  rules:
  - host: "example.com"
    http:
      paths:
      - path: /
        backend:
          serviceName: service
          servicePort: 80
helmbert
  • 35,797
  • 13
  • 82
  • 95
0

I believe it is not possible by using only nginx-ingress at the moment.
When you set up the HTTPS scheme for Ingress, it starts to listen on port 443 and continues to listen on port 80.

However, you are able to do it by using on-premise Nginx instance as an external Load Balancer.
Follow this link for the detailed instructions: "Kubernetes TCP load balancer service on premise (non-cloud)"

As another option, you may want to try Istio Ingress

VAS
  • 8,538
  • 1
  • 28
  • 39