</code></pre></div><p>The resulting secret will be of type <code>kubernetes.io/tls</code>.</p><h2id=host-names>Host names<aclass=headerlinkhref=#host-namestitle="Permanent link"> ¶</a></h2><p>Ensure that the relevant <ahref=https://kubernetes.io/docs/concepts/services-networking/ingress/#tls>ingress rules specify a matching host name</a>.</p><h2id=default-ssl-certificate>Default SSL Certificate<aclass=headerlinkhref=#default-ssl-certificatetitle="Permanent link"> ¶</a></h2><p>NGINX provides the option to configure a server as a catch-all with <ahref=http://nginx.org/en/docs/http/server_names.html>server_name</a> for requests that do not match any of the configured server names. This configuration works out-of-the-box for HTTP traffic. For HTTPS, a certificate is naturally required.</p><p>For this reason the Ingress controller provides the flag <code>--default-ssl-certificate</code>. The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server. If this flag is not provided NGINX will use a self-signed certificate.</p><p>For instance, if you have a TLS secret <code>foo-tls</code> in the <code>default</code> namespace, add <code>--default-ssl-certificate=default/foo-tls</code> in the <code>nginx-controller</code> deployment.</p><p>The default certificate will also be used for ingress <code>tls:</code> sections that do not have a <code>secretName</code> option.</p><h2id=ssl-passthrough>SSL Passthrough<aclass=headerlinkhref=#ssl-passthroughtitle="Permanent link"> ¶</a></h2><p>The <ahref=../cli-arguments/><code>--enable-ssl-passthrough</code></a> flag enables the SSL Passthrough feature, which is disabled by default. This is required to enable passthrough backends in Ingress objects.</p><divclass="admonition warning"><pclass=admonition-title>Warning</p><p>This feature is implemented by intercepting <strong>all traffic</strong> on the configured HTTPS port (default: 443) and handing it over to a local TCP proxy. This bypasses NGINX completely and introduces a non-negligible performance penalty.</p></div><p>SSL Passthrough leverages <ahref=https://en.wikipedia.org/wiki/Server_Name_Indication>SNI</a> and reads the virtual domain from the TLS negotiation, which requires compatible clients. After a connection has been accepted by the TLS listener, it is handled by the controller itself and piped back and forth between the backend and the client.</p><p>If there is no hostname matching the requested host name, the request is handed over to NGINX on the configured passthrough proxy port (default: 442), which proxies the request to the default backend.</p><divclass="admonition note"><pclass=admonition-title>Note</p><p>Unlike HTTP backends, traffic to Passthrough backends is sent to the <em>clusterIP</em> of the backing Service instead of individual Endpoints.</p></div><h2id=http-strict-transport-security>HTTP Strict Transport Security<aclass=headerlinkhref=#http-strict-transport-securitytitle="Permanent link"> ¶</a></h2><p>HTTP Strict Transport Security (HSTS) is an opt-in security enhancement specified through the use of a special response header. Once a supported browser receives this header that browser will prevent any communications from being sent over HTTP to the specified domain and will instead send all communications over HTTPS.</p><p>HSTS is enabled by default.</p><p>To disable this behavior use <code>hsts: "false"</code> in the configuration <ahref=../nginx-configuration/configmap/>ConfigMap</a>.</p><h2id=server-side-https-enforcement-through-redirect>Server-side HTTPS enforcement through redirect<aclass=headerlinkhref=#server-side-https-enforcement-through-redirecttitle="Permanent link"> ¶</a></h2><p>By default the controller redirects HTTP clients to the HTTPS port 443 using a 308 Permanent Redirect response if TLS is enabled for that Ingress.</p><p>This can be disabled globally using <code>ssl-redirect: "false"</code> in the NGINX <ahref=../nginx-configuration/configmap/>config map</a>, or per-Ingress
</code></pre></div><p>To setup Kube-Lego you can take a look at this <ahref=https://github.com/jetstack/kube-lego/tree/master/examples>full example</a>. The first version to fully support Kube-Lego is Nginx Ingress controller 0.8.</p><h2id=default-tls-version-and-ciphers>Default TLS Version and Ciphers<aclass=headerlinkhref=#default-tls-version-and-cipherstitle="Permanent link"> ¶</a></h2><p>To provide the most secure baseline configuration possible,</p><p>nginx-ingress defaults to using TLS 1.2 and 1.3 only, with a <ahref=../nginx-configuration/configmap/#ssl-ciphers>secure set of TLS ciphers</a>.</p><h3id=legacy-tls>Legacy TLS<aclass=headerlinkhref=#legacy-tlstitle="Permanent link"> ¶</a></h3><p>The default configuration, though secure, does not support some older browsers and operating systems.</p><p>For instance, TLS 1.1+ is only enabled by default from Android 5.0 on. At the time of writing, May 2018, <ahref=https://developer.android.com/about/dashboards/#Platform>approximately 15% of Android devices</a> are not compatible with nginx-ingress's default configuration.</p><p>To change this default behavior, use a <ahref=../nginx-configuration/configmap/>ConfigMap</a>.</p><p>A sample ConfigMap fragment to allow these older clients to connect could look something like the following (generated using the Mozilla SSL Configuration Generator)<ahref="https://ssl-config.mozilla.org/#server=nginx&config=old">mozilla-ssl-config-old</a>:</p><divclass=highlight><pre><span></span><code>kind: ConfigMap
</code></pre></div></article></div></div></main><footerclass=md-footer><divclass=md-footer-nav><navclass="md-footer-nav__inner md-grid"aria-label=Footer><ahref=../multiple-ingress/class="md-footer-nav__link md-footer-nav__link--prev"rel=prev><divclass="md-footer-nav__button md-icon"><svgxmlns=http://www.w3.org/2000/svgviewbox="0 0 24 24"><pathd="M20 11v2H8l5.5 5.5-1.42 1.42L4.16 12l7.92-7.92L13.5 5.5 8 11h12z"/></svg></div><divclass=md-footer-nav__title><divclass=md-ellipsis><spanclass=md-footer-nav__direction> Previous </span> Multiple Ingress controllers </div></div></a><ahref=../third-party-addons/modsecurity/class="md-footer-nav__link md-footer-nav__link--next"rel=next><divclass=md-footer-nav__title><divclass=md-ellipsis><spanclass=md-footer-nav__direction> Next </span> ModSecurity Web Application Firewall </div></div><divclass="md-footer-nav__button md-icon"><svgxmlns=http://www.w3.org/2000/svgviewbox="0 0 24 24"><pathd="M4 11v2h12l-5.5 5.5 1.42 1.42L19.84 12l-7.92-7.92L10.5 5.5 16 11H4z"/></svg></div></a></nav></div><divclass="md-footer-meta md-typeset"><divclass="md-footer-meta__inner md-grid"><divclass=md-footer-copyright> Made with <ahref=https://squidfunk.github.io/mkdocs-material/target=_blankrel=noopener> Material for MkDocs </a></div></div></div></footer></div><scriptsrc=../../assets/javascripts/vendor.93c04032.min.js></script><scriptsrc=../../assets/javascripts/bundle.83e5331e.min.js></script><scriptid=__langtype=application/json>{"clipboard.copy":"Copy to clipboard","clipboard.copied":"Copied to clipboard","search.config.lang":"en","search.config.pipeline":"trimmer, stopWordFilter","search.config.separator":"[\\s\\-]+","search.placeholder":"Search","search.result.placeholder":"Type to start searching","search.result.none":"No matching documents","search.result.one":"1 matching document","search.result.other":"# matching documents","search.result.more.one":"1 more on this page","search.result.more.other":"# more on this page","search.result.term.missing":"Missing"}</script><script>
