From 40f9064ca323ee113b9083456d11b0772de4b716 Mon Sep 17 00:00:00 2001 From: Manuel de Brito Fontes Date: Sun, 26 Mar 2017 17:23:37 -0300 Subject: [PATCH] Add information about SSL Passthrough annotation --- controllers/nginx/configuration.md | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index f27bde70ae..508fd95d7f 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -46,12 +46,13 @@ The following annotations are supported: |[ingress.kubernetes.io/auth-secret](#authentication)|string| |[ingress.kubernetes.io/auth-type](#authentication)|basic or digest| |[ingress.kubernetes.io/auth-url](#external-authentication)|string| -|[ingress.kubernetes.io/auth-tls-secret](#Certificate Authentication)|string| -|[ingress.kubernetes.io/auth-tls-verify-depth](#Certificate Authentication)|number| +|[ingress.kubernetes.io/auth-tls-secret](#certificate-authentication)|string| +|[ingress.kubernetes.io/auth-tls-verify-depth](#certificate-authentication)|number| |[ingress.kubernetes.io/enable-cors](#enable-cors)|true or false| |[ingress.kubernetes.io/force-ssl-redirect](#server-side-https-enforcement-through-redirect)|true or false| |[ingress.kubernetes.io/limit-connections](#rate-limiting)|number| |[ingress.kubernetes.io/limit-rps](#rate-limiting)|number| +|[ingress.kubernetes.io/ssl-passthrough](#ssl-passthrough)|true or false| |[ingress.kubernetes.io/proxy-body-size](#custom-max-body-size)|string| |[ingress.kubernetes.io/rewrite-target](#rewrite)|URI| |[ingress.kubernetes.io/secure-backends](#secure-backends)|true or false| @@ -191,6 +192,14 @@ The annotations `ingress.kubernetes.io/limit-connections` and `ingress.kubernete If you specify both annotations in a single Ingress rule, `limit-rps` takes precedence. +### SSL Passthrough + +The annotation `ingress.kubernetes.io/ssl-lassthrough` allows to configure TLS termination in the pod and not in NGINX. +This is possible thanks to the [ngx_stream_ssl_preread_module](https://nginx.org/en/docs/stream/ngx_stream_ssl_preread_module.html) that enables the extraction of the server name information requested through SNI from the ClientHello message at the preread phase. + +**Important:** using the annotation `ingress.kubernetes.io/ssl-lassthrough` invalidate all the other availables annotations. This is because SSL Passthrough works in L4 (TCP). + + ### Secure backends By default NGINX uses `http` to reach the services. Adding the annotation `ingress.kubernetes.io/secure-backends: "true"` in the Ingress rule changes the protocol to `https`.