</code></pre></div><p>Then create the secret in the cluster via:</p><divclass=highlight><pre><span></span><code>kubectl<spanclass=w></span>create<spanclass=w></span>secret<spanclass=w></span>tls<spanclass=w></span><spanclass=si>${</span><spanclass=nv>CERT_NAME</span><spanclass=si>}</span><spanclass=w></span>--key<spanclass=w></span><spanclass=si>${</span><spanclass=nv>KEY_FILE</span><spanclass=si>}</span><spanclass=w></span>--cert<spanclass=w></span><spanclass=si>${</span><spanclass=nv>CERT_FILE</span><spanclass=si>}</span>
</code></pre></div><p>The resulting secret will be of type <code>kubernetes.io/tls</code>.</p><h2id=host-names>Host names<aclass=headerlinkhref=#host-namestitle="Permanent link"> ¶</a></h2><p>Ensure that the relevant <ahref=https://kubernetes.io/docs/concepts/services-networking/ingress/#tls>ingress rules specify a matching hostname</a>.</p><h2id=default-ssl-certificate>Default SSL Certificate<aclass=headerlinkhref=#default-ssl-certificatetitle="Permanent link"> ¶</a></h2><p>NGINX provides the option to configure a server as a catch-all with <ahref=https://nginx.org/en/docs/http/server_names.html>server_name</a> for requests that do not match any of the configured server names. This configuration works out-of-the-box for HTTP traffic. For HTTPS, a certificate is naturally required.</p><p>For this reason the Ingress controller provides the flag <code>--default-ssl-certificate</code>. The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server. If this flag is not provided NGINX will use a self-signed certificate.</p><p>For instance, if you have a TLS secret <code>foo-tls</code> in the <code>default</code> namespace, add <code>--default-ssl-certificate=default/foo-tls</code> in the <code>nginx-controller</code> deployment.</p><p>If the <code>tls:</code> section is not set, NGINX will provide the default certificate but will not force HTTPS redirect.</p><p>On the other hand, if the <code>tls:</code> section is set - even without specifying a <code>secretName</code> option - NGINX will force HTTPS redirect. </p><p>To force redirects for Ingresses that do not specify a TLS-block at all, take a look at <code>force-ssl-redirect</code> in <ahref=../nginx-configuration/configmap/>ConfigMap</a>.</p><h2id=ssl-passthrough>SSL Passthrough<aclass=headerlinkhref=#ssl-passthroughtitle="Permanent link"> ¶</a></h2><p>The <ahref=../cli-arguments/><code>--enable-ssl-passthrough</code></a> flag enables the SSL Passthrough feature, which is disabled by default. This is required to enable passthrough backends in Ingress objects.</p><divclass="admonition warning"><pclass=admonition-title>Warning</p><p>This feature is implemented by intercepting <strong>all traffic</strong> on the configured HTTPS port (default: 443) and handing it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.</p></div><p>SSL Passthrough leverages <ahref=https://en.wikipedia.org/wiki/Server_Name_Indication>SNI</a> and reads the virtual domain from the TLS negotiation, which requires compatible clients. After a connection has been accepted by the TLS listener, it is handled by the controller itself and piped back and forth between the backend and the client.</p><p>If there is no hostname matching the requested host name, the request is handed over to NGINX on the configured passthrough proxy port (default: 442), which proxies the request to the default backend.</p><divclass="admonition note"><pclass=admonition-title>Note</p><p>Unlike HTTP backends, traffic to Passthrough backends is sent to the <em>clusterIP</em> of the backing Service instead of individual Endpoints.</p></div><h2id=http-strict-transport-security>HTTP Strict Transport Security<aclass=headerlinkhref=#http-strict-transport-securitytitle="Permanent link"> ¶</a></h2><p>HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.</p><p>HSTS is enabled by default.</p><p>To disable this behavior use <code>hsts: "false"</code> in the configuration <ahref=../nginx-configuration/configmap/>ConfigMap</a>.</p><h2id=server-side-https-enforcement-through-redirect>Server-side HTTPS enforcement through redirect<aclass=headerlinkhref=#server-side-https-enforcement-through-redirecttitle="Perm
<spanclass=w></span><spanclass=nt>cert-manager.io/issuer</span><spanclass=p>:</span><spanclass=w></span><spanclass=s>"letsencrypt-staging"</span><spanclass=w></span><spanclass=c1># Replace this with a production issuer once you've tested it</span>
</code></pre></div><h2id=default-tls-version-and-ciphers>Default TLS Version and Ciphers<aclass=headerlinkhref=#default-tls-version-and-cipherstitle="Permanent link"> ¶</a></h2><p>To provide the most secure baseline configuration possible,</p><p>ingress-nginx defaults to using TLS 1.2 and 1.3 only, with a <ahref=../nginx-configuration/configmap/#ssl-ciphers>secure set of TLS ciphers</a>.</p><h3id=legacy-tls>Legacy TLS<aclass=headerlinkhref=#legacy-tlstitle="Permanent link"> ¶</a></h3><p>The default configuration, though secure, does not support some older browsers and operating systems.</p><p>For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May 2018, <ahref=https://developer.android.com/about/dashboards/#Platform>approximately 15% of Android devices</a> are not compatible with ingress-nginx's default configuration.</p><p>To change this default behavior, use a <ahref=../nginx-configuration/configmap/>ConfigMap</a>.</p><p>A sample ConfigMap fragment to allow these older clients to connect could look something like the following (generated using the Mozilla SSL Configuration Generator)<ahref="https://ssl-config.mozilla.org/#server=nginx&config=old">mozilla-ssl-config-old</a>:</p><divclass=highlight><pre><span></span><code>kind: ConfigMap
</code></pre></div></article></div></div></main><footerclass=md-footer><divclass="md-footer-meta md-typeset"><divclass="md-footer-meta__inner md-grid"><divclass=md-copyright> Made with <ahref=https://squidfunk.github.io/mkdocs-material/target=_blankrel=noopener> Material for MkDocs </a></div></div></div></footer></div><divclass=md-dialogdata-md-component=dialog><divclass="md-dialog__inner md-typeset"></div></div><scriptid=__configtype=application/json>{"base":"../..","features":["navigation.tabs","navigation.tabs.sticky","navigation.instant","navigation.sections"],"search":"../../assets/javascripts/workers/search.f886a092.min.js","translations":{"clipboard.copied":"Copied to clipboard","clipboard.copy":"Copy to clipboard","search.result.more.one":"1 more on this page","search.result.more.other":"# more on this page","search.result.none":"No matching documents","search.result.one":"1 matching document","search.result.other":"# matching documents","search.result.placeholder":"Type to start searching","search.result.term.missing":"Missing","select.version":"Select version"}}</script><scriptsrc=../../assets/javascripts/bundle.aecac24b.min.js></script></body></html>
