Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSL Handshake Failure When Mapping to External HTTPS Service (AWS CloudFront + S3) in Nginx Ingress #11170

Closed
umjoshua opened this issue Mar 27, 2024 · 6 comments
Closed

SSL Handshake Failure When Mapping to External HTTPS Service (AWS CloudFront + S3) in Nginx Ingress #11170

umjoshua opened this issue Mar 27, 2024 · 6 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/needs-information Indicates an issue needs more information in order to work on it.

Comments

@umjoshua
Copy link

Issue Description:
We are encountering an SSL handshake failure when attempting to map to an external HTTPS service hosted on AWS CloudFront with S3 origin. The error message we're receiving is:

502 Bad Gateway

The corresponding nginx logs for the request is:

2024/03/27 09:56:04 [error] 1791#1791: *1001042 SSL_do_handshake() failed (SSL: error:0A000410:SSL routines::sslv3 alert handshake failure:SSL alert number 40) while SSL handshaking to upstream, client: 127.0.0.1, server: foo.abc.com, request: "GET / HTTP/2.0", upstream: "https://1*.6*.*6.*9:443/", host: "foo.abc.com"

Ingress Configuration:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/upstream-vhost: cdn.abc.com
    nginx.ingress.kubernetes.io/server-snippet: |
      proxy_set_header Host cdn.abc.com;
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
   tls:
     - hosts:
       - foo.abc.com
       secretName: foo
  ingressClassName: nginx
  rules:
  - host: foo.abc.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: external-service-expose
            port:
              number: 443

External Service Configuration:

apiVersion: v1
kind: Service
metadata:
  name: external-service-expose
spec:
  type: ExternalName
  externalName: cdn.abc.com

Expected Behavior:
The response should contain the HTML from CloudFront.

Additional Context:

  • The CDN is directly accessible without any issue.

Thank you for your attention to this matter.
@umjoshua umjoshua added the kind/bug Categorizes issue or PR as related to a bug. label Mar 27, 2024
@k8s-ci-robot
Copy link
Contributor

This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

@k8s-ci-robot k8s-ci-robot added needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. needs-priority labels Mar 27, 2024
@strongjz
Copy link
Member

What version of the controller, eks/k8s?

I'm assuming that the hostname not matching is causing the issue.

You may need to enable SSL pass through https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough

@strongjz
Copy link
Member

/triage needs-information

@k8s-ci-robot k8s-ci-robot added the triage/needs-information Indicates an issue needs more information in order to work on it. label Mar 28, 2024
@umjoshua
Copy link
Author

Thanks @strongjz. Issue is solved now.
Added the following snippets to get it working:

nginx.ingress.kubernetes.io/configuration-snippet: |
  proxy_ssl_server_name on;
  proxy_ssl_name "cdn.abc.com";

@obeyler
Copy link

obeyler commented Jun 28, 2024
edited
Loading

@umjoshua at the end do you add https://kubernetes.github.io/ingress-nginx/user-guide/tls/#ssl-passthrough or just the snippet to make it works ? Could you post the ingress Configuration

@farioas
Copy link

farioas commented Jan 27, 2025
edited
Loading

No need to enable ssl-passthrough. The final working configuration is as follows:

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  annotations:
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/upstream-vhost: cdn.abc.com
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      proxy_ssl_server_name on;
      proxy_ssl_name "cdn.abc.com";
spec:
   tls:
     - hosts:
       - foo.abc.com
       secretName: foo
  ingressClassName: nginx
  rules:
  - host: foo.abc.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: external-service-expose
            port:
              number: 443

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. needs-priority needs-triage Indicates an issue or PR lacks a `triage/foo` label and requires one. triage/needs-information Indicates an issue needs more information in order to work on it.
Projects
[SIG Network] Ingress NGINX
Status: Done
Milestone
No milestone
Development

No branches or pull requests
5 participants
@strongjz @farioas @k8s-ci-robot @obeyler @umjoshua