4

I'd love to set up HSTS with my GKE cluster, as right now HTTP requests return a Google broken robot 404 page after setting this up in ingress.yml annotations: kubernetes.io/ingress.allow-http: "false"

Apparently there are options for this in ingress.yml (namely hsts-max-age and hsts-include-subdomains), but as far as I understand it's not supported by GKE: https://github.com/kubernetes/ingress/blob/7c749ede0a2d88f289279d61d04005e22f002104/docs/annotations.md#tls-related

I'd really like to avoid using and maintaining a custom Nginx load balancer and losing Google's scaling, sticking to the default one would be a strong requirement. I'd also like to avoid letting HTTP requests pass through and handling redirects and the HSTS header in my app.

If HSTS isn't possible, I could live with a good redirection setup.

Thanks a lot!

Improve this question

3 Answers 3

Reset to default
4

Google Cloud seems to support now custom request and response headers for HTTP(S) Load Balancers. I've added a custom Strict-Transport-Security response header for our backend and it works as expected.

In the given example we use a backend bucket, however the custom header option is available for other backend types too.

Example custom response header

Improve this answer
5

HSTS is currently not possible by Google Cloud Load Balancer. There is a feature request already open for this feature . You can subscribe to the feature request for updates.

Improve this answer
3
  • Thanks a lot for the response, I starred the issue. Is there any way with the load balancer to handle HTTP -> HTTPS redirection, or my only option is doing it in my application (or using a custom load balancer)? Commented Jul 20, 2017 at 8:33
  • The redirection is not yet supported directly from the load balancer, however, this issue report has recommendations how to do that in your app. Commented Jul 20, 2017 at 15:40
  • Thanks, so it seems right now the only option is to do the redirection in the backend application layer using the X-Forwarded-Proto http header set by the load balancer: serverfault.com/questions/733166/… Commented Jul 21, 2017 at 10:05
2

Currently this *is supported by GCLB backend configuration however it is not available as a setting for gce-ingress controller. Hopefully someday!

See: https://github.com/kubernetes/ingress-gce/issues/1106

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.