google cloud platform - Kubernetes - Ingress TCP service SSL Termination

Question

I'm doing SSL termination using Ingress for HTTPS traffic. But I also want to achieve the same thing for Custom Port (http virtual host). For example https://example.com:1234 should go to http://example.com:1234

Nginx Ingress has a ConfigMap where we can expose custom ports. But SSL termination doesn't work here.

Any work around? I wonder If I could redirect the incoming https using .htaccess instead.

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: tcp-services
      namespace: ingress-nginx
    data:
      1234: "test-web-services/httpd:1234"
---
apiVersion: v1
kind: Service
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
spec:
  externalTrafficPolicy: Local
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
    - name: port-1234
      port: 1234
      protocol: TCP
      targetPort: 1234

question from:https://stackoverflow.com/questions/65857360/kubernetes-ingress-tcp-service-ssl-termination

Answer 1

SSL Termination for TCP traffic is not a feature directly supported by nginx-ingress.

It is more widely described in this Github issue:

• Github.com: Kubernetes: Ingress-nginx: Issues: [nginx] Support SSL for TCP

You can also find in this thread that some people were successful in implementing a workaround allowing them to support terminating SSL with TCP services. Specifically:

• Github.com: Kubernetes: Ingress-nginx: Issues: [nginx] Support SSL for TCP: Comment 749026036

---

As your example featured the "downgrade" from HTTPS communication to HTTP it could be beneficiary to add that you can alter the way that NGINX Ingress Controller connects to your backend. Let me elaborate on that.

Please consider this as a workaround:

By default your NGINX Ingress Controller will connect to your backend with HTTP. This can be changed with following annotation:

• nginx.ingress.kubernetes.io/backend-protocol:

Citing the official documentation:

Using backend-protocol annotations is possible to indicate how NGINX should communicate with the backend service. (Replaces secure-backends in older versions) Valid Values: HTTP, HTTPS, GRPC, GRPCS, AJP and FCGI

By default NGINX uses HTTP.

-- Kubernetes.github.io: Ingress-nginx: User guide: Nginx configuration: Annotations: Backend protocol

In this particular example the request path will be following:

• client -- (HTTPS:443) --> Ingress controller (TLS Termination) -- (HTTP:service-port) --> Service ----> Pod

---

The caveat

You can use the Service of type LoadBalancer to send the traffic from port 1234 to either 80/443 of your Ingress Controller. This would make TLS termination much easier but it would force the client to use only one protocol. For example:

    - name: custom
      port: 1234
      protocol: TCP
      targetPort: 443

This excerpt from nginx-ingress Service could be used to forward the HTTPS traffic to your Ingress Controller where the request would be TLS terminated and forwarded as HTTP to your backend. Forcing the HTTP through that port would yield error code 400: Bad request.

In this particular example the request path will be following:

• client -- (HTTPS:1234) --> Ingress controller (TLS Termination) -- (HTTP:service-port) --> Service ----> Pod