diff --git a/controllers/nginx/README.md b/controllers/nginx/README.md index 3e3f29fd1..f2729a52b 100644 --- a/controllers/nginx/README.md +++ b/controllers/nginx/README.md @@ -9,6 +9,7 @@ This is a nginx Ingress controller that uses [ConfigMap](https://github.com/kube * [Deployment](#deployment) * [HTTP](#http) * [HTTPS](#https) + * [Default SSL Certificate](#default-ssl-certificate) * [HTTPS enforcement](#server-side-https-enforcement) * [HSTS](#http-strict-transport-security) * [TCP Services](#exposing-tcp-services) @@ -133,6 +134,13 @@ Please follow [test.sh](https://github.com/bprashanth/Ingress/blob/master/exampl Check the [example](examples/tls/README.md) +### Default SSL Certificate + +NGINX provides the option [default_server](http://nginx.org/en/docs/http/server_names.html) to allow a catch-all server in case of request with a not configured server name. This configuration works without issues for HTTP traffic. +In case of HTTPS NGINX requires a certificate. For this reason the Ingress controller provides the flag `--default-ssl-certificate`. The secret behind this flag contains the default certificate to be used in the mentioned case. +If this flag is not provided NGINX will reject the request with the HTTP code 444. + + ### Server-side HTTPS enforcement By default the controller redirects (301) to HTTPS if TLS is enabled for that ingress . If you want to disable that behaviour globally, you can use `ssl-redirect: "false"` in the NGINX config map. diff --git a/controllers/nginx/main.go b/controllers/nginx/main.go index 9bd40076f..a30d0117a 100644 --- a/controllers/nginx/main.go +++ b/controllers/nginx/main.go @@ -85,6 +85,9 @@ var ( This can be used as a guide to create a custom configuration.`) profiling = flags.Bool("profiling", true, `Enable profiling via web interface host:port/debug/pprof/`) + + defSSLCertificate = flags.String("default-ssl-certificate", "", `Name of the secret that contains a SSL + certificate to be used as default for a HTTPS catch-all server`) ) func main() {