On my production env, I have a configuration with two Nginx and the communication between the two servers is secured with this config like this: https://docs.nginx.com/nginx/admin-guide/security-controls/securing-http-traffic-upstream/
INTERNET ---> NGINX reverse proxy ---TLS authentication---> NGINX upstream ---> Application
The conf work as expected, the upstream accept requests only by the trusted certificated.
But I need to migrate the upstream server from a bare metal server to a Kubernetes cluster on Azure Kubernetes Service. So, the conf on the server acting as a reverse proxy is unchanged and I migrate the config of the upstream to NGINX Ingress Controller.
I've deployed this image of the Ingress Controller: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
And configured the resource as follow:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-backend
namespace: dev
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "dev/my-cert"
nginx.ingress.kubernetes.io/auth-tls-error-page: "https://google.com"
spec:
tls:
- hosts:
- my-backend.my-domain
secretName: my-cert
rules:
- host: my-backend.my-domain
http:
paths:
- path: /
backend:
serviceName: my-backend-service
servicePort: http
And the secret called "my-cert" includes: ca.crt tls.crt tls.key imported from the NGINX upstream. https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#client-certificate-authentication
Config in the NGINX reverse proxy unchanged:
location / {
set $upstream my-upstream;
proxy_pass https://$upstream$request_uri;
proxy_set_header Host my-backend.my-domain;
proxy_set_header X-Request-ID $request_id;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_ssl_certificate /etc/nginx/ssl/client.pem;
proxy_ssl_certificate_key /etc/nginx/ssl/client.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/nginx/CA/CA.pem;
proxy_ssl_session_reuse on;
}
The first attempt to try the config was a curl request from the reverse proxy to the Ingress Controller passing the client certificate:
curl --cacert /etc/nginx/CA/CA.pem --key /etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.pem https://my-backend.my-domain/health
{"status":"UP"}
It works!
But trying to send a request through the NGINX reverse proxy I'm redirected to google.com page, as configured in the Ingress Controller. This is note the expected behaviour because, so the NGINX reverse proxy is not able to authenticate to the Nginx ingress controller.
Someone can help me to fix the config and make the auth working?
INTERNET ---> NGINX reverse proxy ---TLS authentication---> NGINX upstream ---> Application
The conf work as expected, the upstream accept requests only by the trusted certificated.
But I need to migrate the upstream server from a bare metal server to a Kubernetes cluster on Azure Kubernetes Service. So, the conf on the server acting as a reverse proxy is unchanged and I migrate the config of the upstream to NGINX Ingress Controller.
I've deployed this image of the Ingress Controller: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.30.0
And configured the resource as follow:
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: my-backend
namespace: dev
annotations:
nginx.ingress.kubernetes.io/auth-tls-verify-client: "on"
nginx.ingress.kubernetes.io/auth-tls-secret: "dev/my-cert"
nginx.ingress.kubernetes.io/auth-tls-error-page: "https://google.com"
spec:
tls:
- hosts:
- my-backend.my-domain
secretName: my-cert
rules:
- host: my-backend.my-domain
http:
paths:
- path: /
backend:
serviceName: my-backend-service
servicePort: http
And the secret called "my-cert" includes: ca.crt tls.crt tls.key imported from the NGINX upstream. https://github.com/kubernetes/ingress-nginx/blob/master/docs/user-guide/nginx-configuration/annotations.md#client-certificate-authentication
Config in the NGINX reverse proxy unchanged:
location / {
set $upstream my-upstream;
proxy_pass https://$upstream$request_uri;
proxy_set_header Host my-backend.my-domain;
proxy_set_header X-Request-ID $request_id;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_ssl_certificate /etc/nginx/ssl/client.pem;
proxy_ssl_certificate_key /etc/nginx/ssl/client.key;
proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
proxy_ssl_ciphers HIGH:!aNULL:!MD5;
proxy_ssl_trusted_certificate /etc/nginx/CA/CA.pem;
proxy_ssl_session_reuse on;
}
The first attempt to try the config was a curl request from the reverse proxy to the Ingress Controller passing the client certificate:
curl --cacert /etc/nginx/CA/CA.pem --key /etc/nginx/ssl/client.key --cert /etc/nginx/ssl/client.pem https://my-backend.my-domain/health
{"status":"UP"}
It works!
But trying to send a request through the NGINX reverse proxy I'm redirected to google.com page, as configured in the Ingress Controller. This is note the expected behaviour because, so the NGINX reverse proxy is not able to authenticate to the Nginx ingress controller.
Someone can help me to fix the config and make the auth working?