Redirect HTTP to HTTPS on Kubernetes using Nginx

SSL redirect graph

Page Overview

This page uses HPCC TLS configuration using Jetstack cert-manager. NGINX will be implemented to enable traffic routing to the service ECLWatch, and Ingress rules are configured to redirect all HTTP traffic to use HTTPS. To make sure visitors always will be using a secured connection, redirect visitors that are making the first connection via HTTP. This configuration will make use of the permanent HTTP redirect code (HTTP status 308).

What is Ingress?

Ingress defines traffic routing rules to manage external user access to services within a Kubernetes cluster. With Ingress, you can easily set up rules for routing traffic. It does this by mapping URLs to the services.

What is NGINX?

NGINX is a free, open-source, high-performance HTTP and reverse proxy server responsible for handling the load of some of the largest sites on the Internet. NGINX is responsible for routing requests to the appropriate services within the Kubernetes cluster, by reading and processing the rules in the Ingress resource.

Prerequisites

Before getting started, have the following prerequisites deployed and running,

Then, follow the tutorial linked here to:

  • Install cert-manager custom resource definitions
  • Install cert-manager helm chart
  • Create a root certificate for the local cluster certificate authority
  • Create a Kubernetes TLS secret
  • Install HPCC with certificates enabled

After Installing HPCC with certificates enabled, verify that all pods, certificate issuers, certificates, and secrets are Ready before continuing.

Using rewrite Annotations

After verifying that all pods, certificates issuers, certificates, and secrets are ready, use the rewrite annotations defined in the Ingress resource below, for redirecting all traffic to HTTPS. The Ingress resource tells NGINX to route requests to service ECLWatch, which can be reached through the Ingress-Nginx controller External IP.

  1. Create an Ingress resource file with the following annotations.
eclwatch-ingress.yaml

Summary of the Ingress Resource file:

Lines 5–9: Annotations-

kubernetes.io/ingress.class: "nginx"tells Kubernetes that this Ingress Resource (eclwatch-ingress) will use the NGINX controller from Ingress.

ingress.kubernetes.io/force-ssl-redirect: "true" forces every incoming HTTP request to HTTPS. It is done by the Ingress-NGINX controller.

nginx.ingress.kubernetes.io/backend-protocol: “HTTPS"Indicates how NGINX should communicate with the backend service. By default NGINX uses HTTP.

nginx.org/ssl-services: “eclwatch" is used to enable HTTPS between NGINX and the backends. Clients can use either HTTP or HTTPS to connect to the NGINX Ingress Controller, but NGINX will always establish an HTTPS connection with a backend.

Lines 11–13: TLS-

In the secretName, we reference a secret resource by its name, hpcc-local-issuer-key-pair. The secret must be of the type kubernetes.io/tls and contain keys named tls.crt and tls.key, which were created when OpenSSL was used to generate the root certificate for HPCC local cluster certificate authority.

2. Configure the Ingress rules

kubectl apply -f eclwatch-ingress.yaml

Validation

Validate that the annotations configured in the Ingress resource have been applied by NGINX.

3. For this example, the name of the Ingress defined previously is eclwatch-ingress

kubectl describe ingress eclwatch-ingressName:             eclwatch-ingressNamespace:        defaultAddress:          20.190.200.130. . .TLS:hpcc-local-issuer-key-pair terminatesRules:Host        Path  Backends----        ----  --------*/   eclwatch:8010 (10.244.0.12:8888)Annotations:  kubernetes.io/ingress.class: nginxnginx.ingress.kubernetes.io/backend-protocol: HTTPSingress.kubernetes.io/force-ssl-redirect: "true"nginx.org/ssl-services: eclwatch. . .

Test

After validating that the Ingress annotations were configured, test the annotations by visiting the service ECLWatch with a normal HTTP protocol. Now it will automatically redirect to HTTPS. You can test with the curl command.

4. First, get the External IP of the Ingress-Nginx controller

kubectl get svc

The result of the command lists all services, and we are looking for the Ingress-Nginx controller External IP. It is shown below:

ingress-Nginx-controller External IP

The External IP is 20.190.200.130, which will be used to test the Ingress rules in the next step.

5. Test the Ingress rules with the External IP, using the curl command

curl -I http://20.190.200.130

As seen below, there is a permanent redirect to HTTPS. The location of the request is now at https://20.190.200.130

HTTP/1.1 308 Permanent RedirectDate: Tue, 17 Aug 2021 03:17:28 GMTContent-Type: text/htmlContent-Length: 164Connection: keep-aliveLocation: https://20.190.200.130

Clean Up

  1. Delete the Ingress resource file
kubectl delete -f hpcc-ingress.yaml

Uninstalling releases with Helm

2. Delete the NGINX controller, specifying a namespace if necessary

helm delete ingress-nginx

3. Delete the HPCC Helm chart and all resources associated with it

helm delete hpcc

4. Delete Cert-manager and all associated resources

helm delete cert-manager

Conclusion

All HTTP requests to service ECLWatch on port 8010 were permanently redirected to the HTTPS location. Now, ECLWatch is always using SSL certificates.

References

--

--

--

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Managing Task Dependencies in Trello

WordPress Developer: Is it worth it in 2022?

wordpress website

New RFOX VALT Metaverse Avatars Are Going Places

Getting a list of nearby WiFi access points in Python on MacOS

Arithmetic Properties a Calculus journey

How To Break/Crack/Reset Root Login Password On CentOS/RHEL 7?

Deploying a Database in a Container — PostgreSQL and Docker

Use a Different Volume For Your Docker Images in Ubuntu | by Andy Macdonald  | clusterfk | Medium

Monitoring Spinnaker, Part 1

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Amy Ma

Amy Ma

More from Medium

Monitor your Raspberry Pi using Grafana Cloud

How to serve multiple web applications on a single port and different subdomains using Nginx and…

Build Customised Zeppelin Docker Image

Docker Introduction