7

I have an ingress that connects to Kubernetes Dashboard, but I'm getting a 400 error when trying to access it.

--- apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: kubernetes-dashboard namespace: kubernetes-dashboard annotations: kubernetes.io/ingress.class: nginx cert-manager.io/cluster-issuer: "letsencrypt-prod" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/auth-tls-verify-client: "false" nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" spec: tls: - hosts: - kube.example.com secretName: dashboard-tls # confirmed is valid LE cert rules: - host: kube.example.com http: paths: - backend: serviceName: kubernetes-dashboard servicePort: 443

That gives me a 400 error in the nginx pod.

2020/08/28 01:25:58 [error] 2609#2609: *795 readv() failed (104: Connection reset by peer) while reading upstream, client: 10.0.0.25, server: kube.example.com, request: "GET / HTTP/1.1", upstream: "http://10.42.0.2:8443/", host: "kube.example.com"

10.0.0.25 - - [28/Aug/2020:01:25:58 +0000] "GET / HTTP/1.1" 400 0 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:79.0) Gecko/20100101 Firefox/79.0" "-"

 

And in case it is relevant, my nginx configuration, deployed through the helm chart nginx-stable/nginx-ingress

 ## nginx configuration ## Ref: https://github.com/kubernetes/ingress/blob/master/controllers/nginx/configuration.md ## controller: config: entries: hsts-include-subdomains: "false" ssl-ciphers: "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4" ssl-protocols: "TLSv1.1 TLSv1.2" ingressClass: nginx service: externalTrafficPolicy: Local annotations: metallb.universe.tf/address-pool: default defaultBackend: enabled: true tcp: 22: "gitlab/gitlab-gitlab-shell:22"
Improve this question
4
  • Seems like you're trying to use HTTP to access an HTTPS endpoint. Commented Aug 28, 2020 at 2:14
  • @Spooler but doesn't backend-protocol=HTTPS make it use HTTPS instead? Commented Aug 28, 2020 at 2:18
  • That makes the reverse proxy communicate with the backend services via https, but the client initiating requests to the ingress controller must not use 'http', or it will be classified as an invalid request. You have not defined a redirect from http to https. Commented Aug 28, 2020 at 2:26
  • @Spooler I removed the ssl-redirect annotation because the docs stated that it's on by default if https is available. But even adding it back and setting it to true, and doing curl https://kube.example.com returns Client sent an HTTP request to an HTTPS server. Commented Aug 28, 2020 at 2:31

1 Answer 1

Reset to default
14

All you need is this annotation on your service ingress

annotations: nginx.ingress.kubernetes.io/backend-protocol: HTTPS nginx.ingress.kubernetes.io/configuration-snippet: |- proxy_ssl_server_name on; proxy_ssl_name $host;
Improve this answer
4
  • You saved my life (: Commented Feb 13, 2021 at 19:09
  • I had to use this syntax, kubernetes.github.io/ingress-nginx/user-guide/… Commented Mar 9, 2021 at 22:06
  • 1
    OMG - you saved my life too. Though it seems I just needed to use the first annotation backend-protocol. What additional stuff does the configuration-snippet enable? Commented Apr 10, 2021 at 15:07
  • 1
    This solved my problem too, but besides the configuration snippet, an explanation of what is going on would be needed for the answer to be complete. Commented Sep 11, 2021 at 22:48

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.