Fix SSL Passthrough template issue and custom ports in redirect to HTTPS

kubernetes · Jan 2, 2018 · ba3b560 · ba3b560
1 parent d22038b
commit ba3b560
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 11 deletions.
diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go
@@ -476,6 +476,7 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
 						loc.Whitelist = anns.Whitelist
 						loc.Denied = anns.Denied
 						loc.XForwardedPrefix = anns.XForwardedPrefix
+						loc.UsePortInRedirects = anns.UsePortInRedirects
 
 						if loc.Redirect.FromToWWW {
 							server.RedirectFromToWWW = true
@@ -507,6 +508,7 @@ func (n *NGINXController) getBackendServers(ingresses []*extensions.Ingress) ([]
 						Whitelist:            anns.Whitelist,
 						Denied:               anns.Denied,
 						XForwardedPrefix:     anns.XForwardedPrefix,
+						UsePortInRedirects:   anns.UsePortInRedirects,
 					}
 
 					if loc.Redirect.FromToWWW {
@@ -1219,9 +1221,12 @@ func (n *NGINXController) SetForceReload(shouldReload bool) {
 }
 
 func (n *NGINXController) extractAnnotations(ing *extensions.Ingress) {
+	glog.V(3).Infof("updating annotations information for ingress %v/%v", ing.Namespace, ing.Name)
 	anns := n.annotations.Extract(ing)
-	glog.V(3).Infof("updating annotations information for ingress %v/%v", anns.Namespace, anns.Name)
-	n.listers.IngressAnnotation.Update(anns)
+	err := n.listers.IngressAnnotation.Update(anns)
+	if err != nil {
+		glog.Errorf("unexpected error updating annotations information for ingress %v/%v: %v", anns.Namespace, anns.Name, err)
+	}
 }
 
 // getByIngress returns the parsed annotations from an Ingress

diff --git a/internal/ingress/controller/nginx.go b/internal/ingress/controller/nginx.go
@@ -234,8 +234,6 @@ type NGINXController struct {
 	// returns true if proxy protocol es enabled
 	IsProxyProtocolEnabled bool
 
-	isSSLPassthroughEnabled bool
-
 	isShuttingDown bool
 
 	Proxy *TCPProxy
@@ -490,7 +488,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
 		})
 	}
 
-	if n.isSSLPassthroughEnabled {
+	if n.cfg.EnableSSLPassthrough {
 		n.Proxy.ServerList = servers
 	}
 
@@ -636,7 +634,7 @@ func (n *NGINXController) OnUpdate(ingressCfg ingress.Configuration) error {
 		Cfg:                     cfg,
 		IsIPV6Enabled:           n.isIPV6Enabled && !cfg.DisableIpv6,
 		RedirectServers:         redirectServers,
-		IsSSLPassthroughEnabled: n.isSSLPassthroughEnabled,
+		IsSSLPassthroughEnabled: n.cfg.EnableSSLPassthrough,
 		ListenPorts:             n.cfg.ListenPorts,
 		PublishService:          n.GetPublishService(),
 	}

diff --git a/rootfs/etc/nginx/template/nginx.tmpl b/rootfs/etc/nginx/template/nginx.tmpl
@@ -214,7 +214,7 @@ http {
     }
     {{ else }}
     map $pass_server_port $pass_port {
-        443              443;
+        {{ $all.ListenPorts.HTTPS }}              443;
         default          $pass_server_port;
     }
     {{ end }}
@@ -678,6 +678,8 @@ stream {
         {{ end }}
 
         location {{ $path }} {
+            port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
+
             {{ if $all.Cfg.EnableVtsStatus }}{{ if $location.VtsFilterKey }} vhost_traffic_status_filter_by_set_key {{ $location.VtsFilterKey }};{{ end }}{{ end }}
 
             set $proxy_upstream_name "{{ buildUpstreamName $server.Hostname $all.Backends $location }}";
@@ -688,11 +690,12 @@ stream {
             set $ingress_name   "{{ $ing.Rule }}";
             set $service_name   "{{ $ing.Service }}";
 
+            {{/* redirect to HTTPS can be achieved forcing the redirect or having a SSL Certificate configured for the server */}}
             {{ if (or $location.Rewrite.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Rewrite.SSLRedirect)) }}
             # enforce ssl on server side
             if ($redirect_to_https) {
-                {{ if ne $all.ListenPorts.HTTPS 443 }}
-                {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }}
+                {{ if $location.UsePortInRedirects }}
+                {{ $redirect_port := (printf ":%v" $all.ListenPorts.HTTPS) }} 
                 return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host{{ $redirect_port }}$request_uri;
                 {{ else }}
                 return {{ $all.Cfg.HTTPRedirectCode }} https://$best_http_host$request_uri;
@@ -716,8 +719,6 @@ stream {
             }
             {{ end }}
 
-            port_in_redirect {{ if $location.UsePortInRedirects }}on{{ else }}off{{ end }};
-
             {{ if not (empty $authPath) }}
             # this location requires authentication
             auth_request        {{ $authPath }};