Nginx ingress controller - Why tls passthrough to backend is not working with wildcard?? #13164
Comments
|
Readers here do not know the details like Subject and Alt-Subject of the cert in the backend. So its not possible to comment based on any data. One guess is that the cert in the backend does not meet the requirements of your curl request. But that is out of the scope of the controller. /remove-kind bug |
|
This is a duplicate of #11982, but it was closed as not planned. You can either build your own controller based off of my PR #12701 (basically forking your own ingress-nginx), or for me I've decided to have a HAProxy fronting ingress-nginx to handle TLS passthrough while still using ingress-nginx as an ingress controller. Since there have been multiple other bugs related to how ingress-nginx does TLS passthrough (such as #11424 and it not supporting the PROXY protocol), and it seems like the maintainers want to deprecate this feature due to resource constraints, it's probably a good idea to not use TLS passthrough in ingress-nginx. |
I am executing cull command with:
curl -k -v -XPUT --cert ./muse-sbi.crt --key ./muse-sbi-privatekey.pem --cacert ./current-muse-nbi-ca-root.crt --pass LS5cbqYDAx0DpV0WKCh9 https://muse.eldar-sor-test.com/users-mng/isAuthenticated
In the response I am getting back from nginx-igress-controller the default cecrtificate "Kubernetes Ingress Controller Fake Certificate" and certificate are not pass to my backend.
Ingress controller object defined this way:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: mi-gateway
meta.helm.sh/release-namespace: mi-paas
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
creationTimestamp: "2025-04-06T14:18:40Z"
generation: 7
labels:
app.kubernetes.io/managed-by: Helm
name: mi-gateway-ingress
namespace: mi-paas
resourceVersion: "3439272"
uid: 7205880c-0465-4a59-8919-c424dba40ad7
spec:
ingressClassName: nginx
rules:
http:
paths:
service:
name: mi-gateway
port:
number: 4433
path: /
pathType: Prefix
http:
paths:
service:
name: mi-gateway
port:
number: 4433
path: /
pathType: Prefix
status:
loadBalancer:
ingress:
when I am sending this curl it work fine:
curl -k -v -XPUT --cert ./muse-sbi.crt --key ./muse-sbi-privatekey.pem --cacert ./current-muse-nbi-ca-root.crt --pass LS5cbqYDAx0DpV0WKCh9 https://eldar-sor-test.com/users-mng/isAuthenticated
If I am changing my ingress object to be , with explicit host in rule (without wildcard) it works ok:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
meta.helm.sh/release-name: mi-gateway
meta.helm.sh/release-namespace: mi-paas
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/ssl-passthrough: "true"
creationTimestamp: "2025-04-06T14:18:40Z"
generation: 8
labels:
app.kubernetes.io/managed-by: Helm
name: mi-gateway-ingress
namespace: mi-paas
resourceVersion: "3444909"
uid: 7205880c-0465-4a59-8919-c424dba40ad7
spec:
ingressClassName: nginx
rules:
http:
paths:
service:
name: mi-gateway
port:
number: 4433
path: /
pathType: Prefix
http:
paths:
service:
name: mi-gateway
port:
number: 4433
path: /
pathType: Prefix
status:
loadBalancer:
ingress:
curl -k -v -XPUT --cert ./muse-sbi.crt --key ./muse-sbi-privatekey.pem --cacert ./current-muse-nbi-ca-root.crt --pass LS5cbqYDAx0DpV0WKCh9 https://muse.eldar-sor-test.com/users-mng/isAuthenticated
tls negotiation between client to backend mi-gateway works as expected.
why tls passthrough to backend is not working with wildcard??
The text was updated successfully, but these errors were encountered: