3

I'd love to set up HSTS with my GKE cluster, as right now HTTP requests return a Google broken robot 404 page after setting this up in ingress.yml annotations: kubernetes.io/ingress.allow-http: "false"

Apparently there are options for this in ingress.yml (namely hsts-max-age and hsts-include-subdomains), but as far as I understand it's not supported by GKE: https://github.com/kubernetes/ingress/blob/7c749ede0a2d88f289279d61d04005e22f002104/docs/annotations.md#tls-related

I'd really like to avoid using and maintaining a custom Nginx load balancer and losing Google's scaling, sticking to the default one would be a strong requirement. I'd also like to avoid letting HTTP requests pass through and handling redirects and the HSTS header in my app.

If HSTS isn't possible, I could live with a good redirection setup.

Thanks a lot!

dain
  • 145
  • 1
  • 8

3 Answers3

5

HSTS is currently not possible by Google Cloud Load Balancer. There is a feature request already open for this feature . You can subscribe to the feature request for updates.

Faizan
  • 1,408
  • 10
  • 17
  • Thanks a lot for the response, I starred the issue. Is there any way with the load balancer to handle HTTP -> HTTPS redirection, or my only option is doing it in my application (or using a custom load balancer)? – dain Jul 20 '17 at 08:33
  • The redirection is not yet supported directly from the load balancer, however, [this issue report](https://issuetracker.google.com/35904733) has recommendations how to do that in your app. – Faizan Jul 20 '17 at 15:40
  • Thanks, so it seems right now the only option is to do the redirection in the backend application layer using the `X-Forwarded-Proto` http header set by the load balancer: https://serverfault.com/questions/733166/redirect-all-http-traffic-to-https-when-using-the-https-load-balancer-on-googl – dain Jul 21 '17 at 10:05
3

Google Cloud seems to support now custom request and response headers for HTTP(S) Load Balancers. I've added a custom Strict-Transport-Security response header for our backend and it works as expected.

In the given example we use a backend bucket, however the custom header option is available for other backend types too.

Example custom response header

philsch
  • 146
  • 2
0

Currently this *is supported by GCLB backend configuration however it is not available as a setting for gce-ingress controller. Hopefully someday!

See: https://github.com/kubernetes/ingress-gce/issues/1106

deploycat
  • 17
  • 3