This topic provides answers to some frequently asked questions about Ingresses.
- Which SSL or TLS protocol versions are supported by Ingresses?
- Do Ingresses pass Layer 7 request headers to backend servers by default?
- Can ingress-nginx forward requests to backend HTTPS servers?
- Do Ingresses pass client IP addresses at Layer 7?
- Does the NGINX Ingress controller support HSTS?
- Which rewrite rules are supported by ingress-nginx?
- Configure an Ingress controller to use an internal-facing SLB instance
- What are the system updates after I update the NGINX Ingress controller on the Add-ons page of the ACK console?
- How do I change Layer 4 listeners to Layer 7 HTTP or HTTPS listeners for ingress-nginx?
- How do I specify an existing SLB instance for ingress-nginx?
Which SSL or TLS protocol versions are supported by Ingresses?
Ingress-nginx supports Transport Layer Security (TLS) 1.2 and Transport Layer Security (TLS) 1.3. If the TLS protocol version that is used by a browser or mobile client is earlier than 1.2, errors may occur during handshakes between the client and ingress-nginx.
nginx-configuration
ConfigMap in the kube-system namespace. For more information, see TLS/HTTPS. ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"
Do Ingresses pass Layer 7 request headers to backend servers by default?
kubectl edit cm -n kube-system nginx-configuration
command to add the relevant configurations to the nginx-configuration ConfigMap. For more information, see ConfigMap. enable-underscores-in-headers: true
Can ingress-nginx forward requests to backend HTTPS servers?
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: xxxx
annotations:
# Note: You must set the backend protocol to HTTPS.
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
Do Ingresses pass client IP addresses at Layer 7?
By default, ingress-nginx adds the X-Forward-For and X-Real-IP header fields to carry client IP addresses. However, if the X-Forward-For and X-Real-IP header fields are already added to a request by a client, the backend server cannot obtain the client IP address.
nginx-configuration
ConfigMap in the kube-system namespace. This allows ingress-nginx to pass client IP addresses at Layer 7. compute-full-forwarded-for: "true"
forwarded-for-header: "X-Forwarded-For"
use-forwarded-headers: "true"
For more information, see Configure an ACK Ingress to pass client IP addresses.
Does the NGINX Ingress controller support HSTS?
Non-Authoritative-Reason: HSTS
. This indicates that the backend server supports HSTS. If the client also supports HSTS, the client will continue to send HTTPS requests if the first access attempt succeeds. The body of the response from the backend server contains the 307 Internal Redirect
status code, as shown in the following figure. Which rewrite rules are supported by ingress-nginx?
- configuration-snippet: Add this annotation to the location configuration of an Ingress. For more information, see Configuration snippet.
- server-snippet: Add this annotation to the server configuration of an Ingress. For more information, see Server snippet.
What are the system updates after I update the NGINX Ingress controller on the Add-ons page of the ACK console?
- serviceaccount/ingress-nginx
- configmap/nginx-configuration
- configmap/tcp-service
- configmap/udp-services
- clusterrole.rbac.authorization.k8s.io/ingress-nginx
- clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx
- role.rbac.authorization.k8s.io/ingress-nginx
- rolebinding.rbac.authorization.k8s.io/ingress-nginx
- service/nginx-ingress-lb
- deployment.apps/nginx-ingress-controller
- validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission
- service/ingress-nginx-controller-admission
- serviceaccount/ingress-nginx-admission
- clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission
- clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission
- role.rbac.authorization.k8s.io/ingress-nginx-admission
- rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission
- job.batch/ingress-nginx-admission-create
- job.batch/ingress-nginx-admission-patch
- configmap/nginx-configuration
- configmap/tcp-services
- configmap/udp-services
- service/nginx-ingress-lb
The configurations of other resources are reset to default values. For example, the default value of the replicas parameter of the deployment.apps/nginx-ingress-controller
resource is 2. If you set the value of replicas to 5 before you update the NGINX Ingress controller, the replicas parameter uses the default value 2 after you update the component on the Add-ons page.
How do I change Layer 4 listeners to Layer 7 HTTP or HTTPS listeners for ingress-nginx?
- Create a certificate and record the certificate ID (cert-id). For more information, see Use a certificate from Alibaba Cloud SSL Certificates Service.
- Change the listeners of the SLB instance used by the Ingress from Layer 4 to Layer 7 by using annotations.
- Verify that the listeners of the SLB instance are changed from Layer 4 to Layer 7 after you add the annotations.
How do I specify an existing SLB instance for ingress-nginx?
- Log on to the ACK console.
- In the left-side navigation pane of the ACK console, choose .
- On the App Catalog tab, search for and click ack-ingress-nginx.
- On the ack-ingress-nginx page, click Deploy.
- In the Deploy wizard, select a cluster and namespace, and then click Next.
- On the Parameters wizard page, configure the parameters.
- Click OK.