This topic provides answers to some frequently asked questions about Ingresses.

Which SSL or TLS protocol versions are supported by Ingresses?

Ingress-nginx supports Transport Layer Security (TLS) 1.2 and Transport Layer Security (TLS) 1.3. If the TLS protocol version that is used by a browser or mobile client is earlier than 1.2, errors may occur during handshakes between the client and ingress-nginx.

If you want ingress-nginx to support more TLS protocol versions, add the required configurations to the nginx-configuration ConfigMap in the kube-system namespace. For more information, see TLS/HTTPS. 
ssl-ciphers: "ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA256:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA"
ssl-protocols: "TLSv1 TLSv1.1 TLSv1.2 TLSv1.3"

Do Ingresses pass Layer 7 request headers to backend servers by default?

By default, ingress-nginx passes Layer 7 request headers to backend servers. However, request headers that do not conform to HTTP rules are filtered out before requests are forwarded to the backend servers. For example, the Mobile Version request header is filtered out. If you do not want to filter out these request headers, run the kubectl edit cm -n kube-system nginx-configuration command to add the relevant configurations to the nginx-configuration ConfigMap. For more information, see ConfigMap. 
enable-underscores-in-headers: true

Can ingress-nginx forward requests to backend HTTPS servers?

To enable ingress-nginx to forward requests to backend HTTPS servers, run the following command to add the required annotations to the Ingress configuration: 
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: xxxx
  annotations:
    # Note: You must set the backend protocol to HTTPS. 
    nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"

Do Ingresses pass client IP addresses at Layer 7?

By default, ingress-nginx adds the X-Forward-For and X-Real-IP header fields to carry client IP addresses. However, if the X-Forward-For and X-Real-IP header fields are already added to a request by a client, the backend server cannot obtain the client IP address.

Run the following command to modify the nginx-configuration ConfigMap in the kube-system namespace. This allows ingress-nginx to pass client IP addresses at Layer 7. 
compute-full-forwarded-for: "true"
forwarded-for-header: "X-Forwarded-For"
use-forwarded-headers: "true"

For more information, see Configure an ACK Ingress to pass client IP addresses.

Does the NGINX Ingress controller support HSTS?

By default, HTTP Strict Transport Security (HSTS) is enabled for nginx-ingress-controller. When a browser sends a plain HTTP request for the first time, the response header from the backend server (with HSTS enabled) contains Non-Authoritative-Reason: HSTS. This indicates that the backend server supports HSTS. If the client also supports HSTS, the client will continue to send HTTPS requests if the first access attempt succeeds. The body of the response from the backend server contains the 307 Internal Redirect status code, as shown in the following figure. 1
If you do not want to forward the client requests to backend HTTPS servers, disable HSTS for nginx-ingress-controller. For more information, see HSTS.
Note By default, the HSTS configuration is cached by browsers. You must manually delete the browser cache after you disable HSTS for nginx-ingress-controller.

Which rewrite rules are supported by ingress-nginx?

Only simple rewrite rules are supported by ingress-nginx. For more information, see Rewrite. If you want to configure complex rewrite rules, use the following methods:
  • configuration-snippet: Add this annotation to the location configuration of an Ingress. For more information, see Configuration snippet.
  • server-snippet: Add this annotation to the server configuration of an Ingress. For more information, see Server snippet.
You can use other snippets to add global configurations, as shown in the following figure. For more information, see main-snippet. 2

What are the system updates after I update the NGINX Ingress controller on the Add-ons page of the ACK console?

If the version of the NGINX Ingress controller is earlier than 0.44, the component includes the following resources:
  • serviceaccount/ingress-nginx
  • configmap/nginx-configuration
  • configmap/tcp-service
  • configmap/udp-services
  • clusterrole.rbac.authorization.k8s.io/ingress-nginx
  • clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx
  • role.rbac.authorization.k8s.io/ingress-nginx
  • rolebinding.rbac.authorization.k8s.io/ingress-nginx
  • service/nginx-ingress-lb
  • deployment.apps/nginx-ingress-controller
If the version of the NGINX Ingress controller is 0.44 or later, the component includes the following resources in addition to the preceding resources:
  • validatingwebhookconfiguration.admissionregistration.k8s.io/ingress-nginx-admission
  • service/ingress-nginx-controller-admission
  • serviceaccount/ingress-nginx-admission
  • clusterrole.rbac.authorization.k8s.io/ingress-nginx-admission
  • clusterrolebinding.rbac.authorization.k8s.io/ingress-nginx-admission
  • role.rbac.authorization.k8s.io/ingress-nginx-admission
  • rolebinding.rbac.authorization.k8s.io/ingress-nginx-admission
  • job.batch/ingress-nginx-admission-create
  • job.batch/ingress-nginx-admission-patch
When you update the NGINX Ingress controller on the Add-ons page of the Container Service for Kubernetes (ACK) console, the configurations of the following resources remain unchanged:
  • configmap/nginx-configuration
  • configmap/tcp-services
  • configmap/udp-services
  • service/nginx-ingress-lb

The configurations of other resources are reset to default values. For example, the default value of the replicas parameter of the deployment.apps/nginx-ingress-controller resource is 2. If you set the value of replicas to 5 before you update the NGINX Ingress controller, the replicas parameter uses the default value 2 after you update the component on the Add-ons page.

How do I change Layer 4 listeners to Layer 7 HTTP or HTTPS listeners for ingress-nginx?

By default, the Server Load Balancer (SLB) instance of the ingress-nginx pod listens on TCP ports 443 and 80. You can change Layer 4 listeners to Layer 7 listeners by changing the protocol of the listeners to HTTP or HTTPS.
Note Your service will be temporarily interrupted when the system changes the listeners. We recommend that you perform this operation during off-peak hours.
  1. Create a certificate and record the certificate ID (cert-id). For more information, see Use a certificate from Alibaba Cloud SSL Certificates Service.
  2. Change the listeners of the SLB instance used by the Ingress from Layer 4 to Layer 7 by using annotations.
    1. Log on to the ACK console.
    2. In the left-side navigation pane of the ACK console, click Clusters.
    3. On the Clusters page, find the cluster that you want to manage and click the name of the cluster or click Details in the Actions column. The details page of the cluster appears.
    4. In the left-side navigation pane of the details page, choose Network > Services
    5. At the top of the Services page, set Namespace to kube-system. Find ingress-nginx-lb and click View in YAML in the Actions column.
    6. In the annotations field of the Edit YAML dialog box, add the following content and click Update: 
      service.beta.kubernetes.io/alibaba-cloud-loadbalancer-protocol-port: "http:80,https:443"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-cert-id: "${YOUR_CERT_ID}"
  3. Verify that the listeners of the SLB instance are changed from Layer 4 to Layer 7 after you add the annotations.
    1. On the Services page, click Monitoring information to the right side of ingress-nginx-lb.
    2. Click the Listener tab. If HTTP:80 and HTTPS:443 appear in the Frontend Protocol column, the listeners of the SLB instance are changed from Layer 4 to Layer 7.
      Listeners

How do I specify an existing SLB instance for ingress-nginx?

  1. Log on to the ACK console.
  2. In the left-side navigation pane of the ACK console, choose Marketplace > App Catalog.
  3. On the App Catalog tab, search for and click ack-ingress-nginx.
  4. On the ack-ingress-nginx page, click Deploy.
  5. In the Deploy wizard, select a cluster and namespace, and then click Next.
  6. On the Parameters wizard page, configure the parameters.
    1. Delete the annotations in the annotations field in the service section.
      ingress-nginx
    2. Add the following annotation to the annotations field of service: 
      service.beta.kubernetes.io/alibaba-cloud-loadbalancer-id: "${YOUR_LOADBALANCER_ID}"
service.beta.kubernetes.io/alibaba-cloud-loadbalancer-force-override-listeners: "true"
  7. Click OK.