AWS kubernetes load balancer terminate SSL on port 443 and forward to service on port 80

Question

I'm trying to set up my EKS cluster in AWS with Nginx ingress controller.

Nginx ingress controller creates a service of type LoadBalancer which in turn creates a ELB instance that's mapped to the node ports of the service.

I'd like to have the SSL certificate managed by AWS, not the kubernetes cluster, so I imported it into the AWS Certificate Manager and added an annotation to the nginx service:

service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <certificate_arn>

So far it's standard stuff. The load balancer is now doing the SSL termination and the subsequent communication between it and the cluster is unencrypted, which is what I wanted. The only problem is that instead of this:

[Client] -> HTTPS (443) -> [ELB (SSL termination)] -> HTTP (80) -> [Service]

I get this

[Client] -> HTTPS (443) -> [ELB (SSL termination)] -> HTTP (443) -> [Service]

As you can see, the ELB doesn't change the port from 443 to 80 and the communication gets rejected by the Nginx pod because it receives unencrypted traffic on port 443.

I tried a similar thing with SSL/TCP ELB but the same problem occurs.

I searched but couldn't find any way, how to tell the ELB to send the unecrypted traffic to port 80. ANy ideas?

Thanks!

please, in addition to describe your issue, would be good if you add your kubernetes yamls — c4f4t0r, Mar 15 '19 at 16:05

score 4 · Accepted Answer · answered Apr 22 '19 at 15:18

You need to configure your Ingress service to use targetPort: http even when using the 443 port.

Here is an example of using Nginx Ingress and Amazon ELB with Layer 7 (HTTP/HTTPS) listeners:

kind: Service
apiVersion: v1
metadata:
  name: ingress-nginx
  namespace: ingress-nginx
  labels:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  annotations:
    service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:acm:us-west-2:XXXXXXXX:certificate/XXXXXX-XXXXXXX-XXXXXXX-XXXXXXXX"
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "http"
    service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "https"
    service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
spec:
  type: LoadBalancer
  selector:
    app.kubernetes.io/name: ingress-nginx
    app.kubernetes.io/part-of: ingress-nginx
  ports:
    - name: http
      port: 80
      targetPort: http
    - name: https
      port: 443
      targetPort: http  # <--- PAY ATTENTION HERE

My request works on http, but the same times out when I invoke using https. I changed target port as mentioned by you to http still no luck. How can I debug where exactly has the issue in kubernetes? — sudharsan tk, Dec 26 '19 at 04:54

AWS kubernetes load balancer terminate SSL on port 443 and forward to service on port 80

1 Answers1