Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question: How to achieve HTTPS from an AWS ELB to the nginx ingress controller (Layer7) #3902

Closed
michaelajr opened this issue Mar 18, 2019 · 4 comments
Closed

Question: How to achieve HTTPS from an AWS ELB to the nginx ingress controller (Layer7) #3902

michaelajr opened this issue Mar 18, 2019 · 4 comments

Comments

@michaelajr
Copy link

michaelajr commented Mar 18, 2019
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST? (choose one):
Question

NGINX Ingress controller version:
0.23

Kubernetes version (use kubectl version):
1.11.5

Environment:
AWS

What happened:
Sorry for the question, but I did not see anywhere else to ask. I am running the nginx ingress controller behind a layer7 ELB, and I want the hop to the controller to be over HTTPS. Right now, I have to set service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http" to get things to work. I have tried to specify service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "https" and then give Ingress objects a SSL secret with a self signed cert, but the connection just hangs. Is there anything else I need to do to get HTTPS from the ELB to nginx? (I want to use Layer7 not Layer4)
@michaelajr michaelajr changed the title Question: How to achieve HTTPS from Layer7 ELB Question: How to achieve HTTPS from an ELB to the nginx ingress controller (Layer7) Mar 18, 2019
@michaelajr michaelajr changed the title Question: How to achieve HTTPS from an ELB to the nginx ingress controller (Layer7) Question: How to achieve HTTPS from an AWS ELB to the nginx ingress controller (Layer7) Mar 18, 2019
@aledbf
Copy link
Member

aledbf commented Mar 18, 2019

@michaelajr please post the ingress controller pod logs

@michaelajr
Copy link
Author

michaelajr commented Mar 18, 2019
edited
Loading

@aledbf After I turned on verbose logging I saw that there was an SSL handshake issue. Very low level logging. Something about not finding cypher match. After some research I was able to add the cyphers and protocols to the config map.

kind: ConfigMap
apiVersion: v1
metadata:
  name: nginx-config
data:
  ssl-ciphers: "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA"
  ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2"

There is also some talk about this here nginxinc/kubernetes-ingress#69

Thanks for pushing me to turn on v=5 logging.

M

@aledbf
Copy link
Member

aledbf commented Mar 18, 2019

Links to the docs:

@amitsaha
Copy link

amitsaha commented Aug 2, 2019

Thank you @michaelajr - light at the end of the tunnel after 2 days!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@aledbf @amitsaha @michaelajr