1

I have a AWS NLB with SSL termination -> kubernetes nginx ingress controller configuration and I want to be able to redirect only certain specific domains from http to https. I am using the following server-snippet in my Ingress resource:

    nginx.ingress.kubernetes.io/server-snippet: |
        if ($scheme = "http") {
          return 308 https://$host$request_uri;
        }

It actually generates the correct nginx.conf file but it keeps redirecting both http and https requests.

server {
        server_name mydomain.com ;

        listen 80  ;
        listen 443  ssl http2 ;

        set $proxy_upstream_name "-";

        ssl_certificate_by_lua_block {
                certificate.call()
        }

        # Custom code snippet configured for host mydomain.com
        if ($scheme = "http") {
          return 308 https://$host$request_uri;
        }
    ...
}

I also tried with the annotations "force-ssl-redirect" and "ssl-redirect" but obtained the same result. Am I missing something in this configuration? If not and this is not a working feature, is there another way I can do the redirect?

Marina Salmen
  • 75
  • 1
  • 9
  • Have you tried using regex for the `if ($scheme = HTTP)` instead? I may be wrong, but the condition with a single equals with strings may act as a "contains" instead of "are those two strings exactly the same?". Also... you cannot access the "server" part at all from the ingress confg file, right? – Lucas Coppio Jun 16 '21 at 18:38
  • Yes I tried using `if ($scheme ~* "^http$")` but it didn't work. I also tried the configuration in ingress controller's ConfigMap (using server) and it didn't work. – Marina Salmen Jun 16 '21 at 19:01
  • 1
    remove that snippet, and annotate your Ingress with `nginx.ingress.kubernetes.io/ssl-redirect=true` – SYN Jun 16 '21 at 19:03
  • Can you share your ingress yaml? the force-ssl-redirect annotation should work just fine – whites11 Jun 17 '21 at 05:19
  • Since you are using NLB with ssl termination, http request from client goes to LB and LB is like "nah, use https", so client changes to https and goes through LB and lb goes: "looks fine to me", but LB is terminating SSL so it changes to http and forwards to ingress controller. Now ingress controller sees http and goes "i dont like it, go use https" and this is what client receives. but its already using https. You cannot terminate ssl twice. Check the logs to confirm that this is the root cause of the issue – Matt Jun 17 '21 at 09:29

0 Answers0