ingress-nginx: HTTP->HTTPS redirect does not work with use-proxy-protocol: "true"

I am currently using gcr.io/google_containers/nginx-ingress-controller:0.9.0-beta.7. I was having issues as #277, but that issue is marked as resolved. My ingress would work properly with https://, but would return an empty response with http://. This is what happened when I tried to cURL my domain:

$ curl https://mydomain.com
[html response]
$ curl http://mydomain.com
curl: (52) Empty reply from server

When I changed the use-proxy-protocol configuration from true to false, the curl worked correctly.

$ curl https://mydomain.com
[html response]
$ curl http://mydomain.com
[301 response]

Here is my original config map to reproduce the situation:

apiVersion: v1
kind: ConfigMap
metadata:
  name: my-config-map
data:
  force-ssl-redirect: "true"
  ssl-redirect: "true"
  use-proxy-protocol: "true"

About this issue

Original URL
State: closed
Created 7 years ago
Comments: 38 (12 by maintainers)

Most upvoted comments

For those using helm, here’s how I managed to use externalTrafficPolicy: Local (to preserve client ip in backends) while also make it work with multiples nodes behind the LoadBalancer:

helm install ingress ingress-nginx/ingress-nginx \
  --namespace ingress-nginx \
  --create-namespace \
  --set-string controller.service.externalTrafficPolicy=Local \
  --set-string controller.kind=DaemonSet

without controller.kind=DaemonSet, the LoadBalancer was not delivering traffic to the other nodes as they were reporting “unhealthy”.

+15

ejose19 on Mar 9, 2021

@dano0b maybe I’m missing something but I configured kuberntes-ingress in that way and it didn’t work: I’m using GKE and when connecting using HTTP I got the real IP but when I’m connecting using HTTPS I’m always getting 127.0.0.1 as the remote IP.

In my opinion, the best solution right now is the one that @coolersport providedÇ

UPDATED After disabled --enable-ssl-passthrough flag I was getting the real request IP as @dano0b pointed

miquelbar on May 7, 2020

@roboticsound, here they are. Sorry, I can’t post full YAML files. Hope this gives you the idea.

--- pod container (sidecar) ---
- name: https-redirector
  image: nginx:1.15-alpine
  imagePullPolicy: IfNotPresent
  ports:
  - containerPort: 8080
    name: redirector
  securityContext:
    allowPrivilegeEscalation: false
  volumeMounts:
  - name: nginx-redirector
    mountPath: /etc/nginx/nginx.conf
    subPath: nginx.conf
    readOnly: true
--- service ---
ports:
- name: http
  port: 80
  targetPort: redirector
--- configmap ---
nginx.conf: |
  events {
      worker_connections  128;
  }
  http {
    server {
      listen 8080;
      server_name _;
      return 301 https://$host$request_uri;
    }
  }

ghost on Apr 6, 2019

Do we have like a standard way of doing this?

allenvino1 on Oct 8, 2020

In case somebody didn’t see the better solution: https://kubernetes.io/docs/tasks/access-application-cluster/create-external-load-balancer/#preserving-the-client-source-ip

dano0b on Sep 9, 2019

@anurag not sure. If you want to test this please make sure you use externalTrafficPolicy: Local in the service spec of the ingress controller

aledbf on Jan 15, 2018