[nginx] Allow ELB SSL termination with HSTS and HTTPS redirect

[foxylion]

We are terminating our SSL traffic at AWS ELB. This is supported by the nginx ingress.

But we are also require the HSTS headers to be always set and HTTPS redirection enabled by default.
This can be a bit tricky, because nginx needs to know which traffic from ELB was HTTPS traffic and which traffic is HTTP traffic.

In our current setup we use a different port in nginx which has the only purpose of redirecting all traffic to the HTTPS equivalent.

server {
   listen 8000 proxy_protocol;
   server_tokens off;
   return 301 https://$host$request_uri;
}

This enables us to route all ELB traffic on port 80 to port 8000 of ingress. And SSL terminated traffic on port 443 to port 80 of ingress. So far this did not need major changes in ingress, but it will no longer support the HSTS headers. Currently we modified the ingress-controller to always set the header (removed the conditionals). It would be great if both features could be integrated into the controller by default. This would allow us to switch back to the default nginx.tmpl.

If this is a change which is welcome I will be happy to contribute some code, but will need some assistance.

[foxylion]

This is cool. But I think some minor things are still missing. It is still not possible to add HSTS headers when you're not using SSL termination in ingress (this would be a important feature in combination with ForceSSLRedirect).

Edit: I had a look into the code. There is one thing I would like to improve:
This "https redirect" feature is on a per location basis. This means for each ingress I have to ensure it is enabled. Ingress is controlled by our developers. If one forgets to add this option traffic could be served in plain text.
Wouldn't it be a good idea to also support https redirect and hsts in a global context?

@aledbf Could you reopen this?

[kylegato]

When I add:

annotations: kubernetes.io/ingress.class: "nginx" ingress.kubernetes.io/force-ssl-redirect: : "true"

To my Ingress config for a service, it just loops over and over and over again, because we are doing SSL termination at the ELB and therefore passing traffic from the ELB to our Ingress controller via HTTP.

@foxylion is the above issue why you've had to do what you're doing? I may end up doing the same....

[foxylion]

@kylegato Back then the annotation did not exist. And since then I had no time to actually test the new annotation, especially because it does not solve everything (HSTS headers are missing).

For the moment I've the separate port and modified to always set the HSTS header (removed the if statements in the template).

[asmith60]

@kylegato @foxylion I am having the same issue where SSL termination at the ELB + ingress.kubernetes.io/force-ssl-redirect: : "true" results in an infinite redirect loop. I am on version 0.9.0-beta.3. Did you ever find a solution?

[kylegato]

@asmith60 I am just going to rely on HSTS for now.

[foxylion]

@kylegato Main problem with that solution is, that unless the client uses HTTPS once he can still use HTTP.

[kerin]

Has anyone managed to get the ingress.kubernetes.io/force-ssl-redirect annotation to work with SSL termination on an ELB? Whatever I do I end up with an infinite HTTPS->HTTPS redirect loop (with 0.9-beta.8), so like others I'm having to override and modify the nginx.conf template, making updates pretty painful.

[philipbjorge]

Does anyone have feedback on the preferred way to force HSTS for SSL terminated environments?
#917

[danielfm]

For those experiencing the redirect loop, make sure you enabled the HTTP backend protocol in ingress service via the corresponding annotations:

    annotations:
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: https
      service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: ...

This will cause the ELB to operate in Layer 7, and thus inject the X-Forwarded-* headers required for the redirect logic to work.

Also please note the redirect won't work if you enabled Proxy Protocol as well; in this case, the ELB would need to operate on TCP/SSL (Layer 4), thus such headers won't be available to NGINX, causing the redirect to loop.