SSL endpoints with nginx.ingress.kubernetes.io/auth-tls-secret must not serve anything over http

[farcaller]

Is this a request for help? (If yes, you should use our troubleshooting guide and community support channels, see https://kubernetes.io/docs/tasks/debug-application-cluster/troubleshooting/.): no

What keywords did you search in NGINX Ingress controller issues before filing this one? (If you have found any duplicates, you should instead reply there.): auth-tls-secret

---

Is this a BUG REPORT or FEATURE REQUEST? (choose one): BUG REPORT

NGINX Ingress controller version:
0.10.2

Kubernetes version (use kubectl version):

Client Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-16T03:15:38Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"darwin/amd64"}
Server Version: version.Info{Major:"1", Minor:"9", GitVersion:"v1.9.0", GitCommit:"925c127ec6b946659ad0fd596fa959be43f0cc05", GitTreeState:"clean", BuildDate:"2017-12-15T20:55:30Z", GoVersion:"go1.9.2", Compiler:"gc", Platform:"linux/amd64"}

Environment:

• Cloud provider or hardware configuration: bare metal / kubeadm

What happened:

Given an ingress with the following annotations:

      'kubernetes.io/tls-acme': 'true',
      'nginx.ingress.kubernetes.io/auth-tls-secret': 'ingress-nginx/ingress-client-cert',
      'nginx.ingress.kubernetes.io/rewrite-target': '/',
      'nginx.ingress.kubernetes.io/proxy-body-size': '100m',

I tried to access the website via http as soon as ingress controller recognised the new object, before kube-lego delivered a secret with the tls certificate. I got the proper proxied response from my backend with the auth completely circumvented in that window of no cert.

What you expected to happen:

to see either 3xx redirect on http to https (even though https backend isn't not functional) or 403 (because the ingress requires tls auth).

How to reproduce it (as minimally and precisely as possible):

Use the noted annotations in the ingress with no tls secret available.

Anything else we need to know:

[Preskton]

@farcaller have you tried setting kubernetes.io/ingress.allow-http to false?

[aledbf]

@Preskton that annotation only works in the GCE Ingress controller

[aledbf]

@farcaller if you don't want traffic in port 80 you need to filter the traffic in your firewall or not expose port 80 in the deployment.

[farcaller]

if you don't want traffic in port 80 you need to filter the traffic in your firewall or not expose port 80 in the deployment.

@aledbf how is that solving an issue? I want nginx ingress to serve 3xx redirects at all times, and not just ignore a "auth-tls-secret" annotation if it's incorrect. My point is that the failure more is too permissive.

[aledbf]

I want nginx ingress to serve 3xx redirects at all times, and not just ignore a "auth-tls-secret" annotation if it's incorrect.

If there is an issue with the SSL certificate you should see get a 403 error

[farcaller]

Exactly! And the point of my bug report is that instead I got a 200 and could see the backend data otherwise supposedly protected by a client cert.

[aledbf]

@farcaller please test quay.io/aledbf/nginx-ingress-controller:0.336