from-to-www-redirect is applied after SSL instead of before, causing security warning in browser #2043
Comments
|
Is your certificate valid for both foo.com and www.foo.com ? |
|
No, it's for |
|
Closing. This works as expected. As @JordanP said, if you have an SSL certificate, you need one that contains all the hosts you need (CN in the certificate). This is a restriction in NGINX that we cannot change. |
|
@aledbf So the Ingress Controller throws a 'fake' certificate when the provided certificate doesn't cover the requested host? |
|
@artemzakharov NGINX, not the controller. |
|
@aledbf Got it, thank you for the clarification. Hadn't used NGINX before using this library so wasn't sure who was responsible for which behavior. |
|
I have same issue, my certificate is valid for both
ingress-nginx/rootfs/etc/nginx/template/nginx.tmpl Lines 377 to 405 in 36cce00 |
|
I can confirm that issue exists in 0.14.0, generic block with no ssl included is generated for this specific scenario: |
|
@aledbf Can this be re-opened? The comments above show the issue. It works fine if you come in on |
|
Experiencing this as well, with certs generated by cert-manager (ex kube-lego) Pretty serious issue IMHO, this makes from-to-www-redirect unusable with TLS. The spec.tls.hosts entry in my ingress has both www.foo.com, foo.com, and a 3rd domain, and the resulting cert does have all 3 domains. So, the problem definitely seems to be in the generated nginx config. |
|
I am having the same issue using nginx-ingress-controller:0.14.0. If I visit the root domain i receive a cert error (its serving the Kubernetes Ingress Controller Fake Certificate). I use https://github.com/jetstack/cert-manager (very similar and based on kube-lego, same as the commenter above). Here is my ingress config: |
|
For those interested in a short term work around, I add the following annotation to get it to work as I need for now: Then I add the root foo.com to the rules: |
|
thanks @thomascooper ! This worked for me: |
|
Issues go stale after 90d of inactivity. If this issue is safe to close now please do so with Send feedback to sig-testing, kubernetes/test-infra and/or fejta. |
k8s-ci-robot
added
the
lifecycle/stale
|
@thomascooper's solution also works for redirecting www to non-www. Something like: I could not get this to work without using this snippet. I'm sure the developers on this project have their hands full, but the current behavior outlined in this thread seems unexpected and the issue warrants staying open. |
|
issue still exists with nginx-ingress-0.20.3 |
k8s-ci-robot
removed
the
lifecycle/stale
|
any status update on this? I'm experiencing the same issue... if nothing else my comment will hopefully keep this issue open |
|
yeah, I have this in 0.20.0. The issue as I see it is the following taken from one of my ingress pods nginx.conf. This is the code I assume this does not have a valid ssl cert to serve. |
|
Same here, have to use the configuration-snippet annotation to configure the redirect in nginx, as well as listing all domains in the rules section. If you have additional hosts in the tls section (for example www or non www version of your domain), you still have to list them in the rules section and map them to some service because it seems like the generated nginx config only reads the listed hosts in the rules section. |
|
Watching this! |
|
Long time no change. it's very sad that this issue isn't resolved after nearly one year :-( |
|
Still seems like a problem for https://foo.com when you want to use We're using a wildcard cert for |
|
Is this supposed to work now? |
|
The same - doesn't work for me, ingress handles both addresses, |
|
nvm, you have to specify both domains in Certificate and only domains you want to serve in Ingress. |
|
I have a wildcard certificate My ingress configuration. |
|
@corpulent Update your rules as follow: |
|
@SeriousJul Thanks, that worked! And the other issues I had also resolved from the comments in this issue. |
|
Sorry if I have to ask: But is this problem now solved? And if yes, in which version. Because I'm facing the issue right now with version 0.10.2 and it would be nice to know to which version I have to upgrade. |
|
This is working for me with this config. I'm using cert-manager to obtain the certificates. I noticed you have to list both hosts in the tls section and have a valid certificate for both as mentioned in other comments, but you shouldn't list the www host in the rules section for the from-to-www-redirect annotation to work. |
|
And which version of the ingress are you using?
Joni Bekenstein <notifications@github.com> schrieb am Mi., 19. Aug. 2020,
17:00:
… This is working for me with this config. I'm using cert-manager to obtain
the certificates. I noticed you have to list both hosts in the tls section
and have a valid certificate for both as mentioned in other comments, but
you shouldn't list the www host in the rules section for the
from-to-www-redirect annotation to work.
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: web
annotations:
kubernetes.io/ingress.class: "nginx"
cert-manager.io/cluster-issuer: "letsencrypt"
nginx.ingress.kubernetes.io/from-to-www-redirect: "true"
spec:
tls:
- hosts:
- foo.com
- www.foo.com
secretName: web-tls
rules:
- host: foo.com
http:
paths:
- path: /
backend:
serviceName: web
servicePort: 8000
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#2043 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ACAADHX3D5WU57ZVL6EN7VTSBPSJFANCNFSM4EPUXURQ>
.
|
|
@JustDoItSascha nginx-ingress-controller:0.32.0 |
I am not sure how it works for you, because I'm using the exact same configuration ( |
and others
Is this a request for help?: No, bug
What keywords did you search in NGINX Ingress controller issues before filing this one?: force-www, ssl, https, kubernetes ingress controller fake certificate
Is this a BUG REPORT or FEATURE REQUEST?: bug
NGINX Ingress controller version:
0.9.1Kubernetes version:
1.8.5Environment: GKE
uname -a):What happened: I have an app I would like to host on
www.foo.com. My nginx ingress has thefrom-to-www-redirectflag enabled to redirect requests from the base domain url, and has a TLS secret to provide for secure connections. This combination of redirect and SSL works for most url inputs, but not one in particular -https://foo.com. In this case, browsers present a security warning like this:Forcing the browser to proceed to the "unsafe" site redirects to the correct destination of
https://www.foo.comand enables SSL like nothing ever happened. For reference, the following urls all redirect tohttps://www.foo.comwith no warnings:foo.comhttp://foo.comwww.foo.comhttp://www.foo.comWhat you expected to happen: I expect
https://foo.comto redirect tohttps://www.foo.comwithout browsers displaying a false alarm.How to reproduce it (as minimally and precisely as possible):
from-to-www-redirectand SSL via a certificate, with a subdomain host likewww.foo.compointing to the application servicehttps://<base-domain>.Anything else we need to know:
Here's my nginx ingress config file:
The text was updated successfully, but these errors were encountered: