Exclude specific hosts from ssl redirect in Kubernetes Nginx Ingress

You can create two Ingress objects, one for each site in the same namespace.

Use annotation nginx.ingress.kubernetes.io/ssl-redirect: "true" for SSL site

Use annotation nginx.ingress.kubernetes.io/ssl-redirect: "false" for Non-SSL site

apiVersion: extensions/v1beta1kind: Ingressmetadata:   name: cmac-ingress   namespace: ns1   annotations:    kubernetes.io/ingress.class: nginx    nginx.ingress.kubernetes.io/ssl-redirect: "true"spec:  tls:  - hosts:    - my-ssl-site.co.uk    secretName: testsecret-tls  rules:  - host: my-ssl-site.co.uk    http:      paths:      - path: /        backend:           serviceName: my-service          servicePort: 80---apiVersion: extensions/v1beta1kind: Ingressmetadata:   name: cmac-ingress1   namespace: ns1   annotations:    kubernetes.io/ingress.class: nginx    nginx.ingress.kubernetes.io/ssl-redirect: "false"spec:  tls:  - hosts:    - my-site.co.uk    secretName: testsecret-tls  rules:  - host: my-site.co.uk    http:      paths:      - path: /        backend:           serviceName: my-service          servicePort: 80

Here is the result from ingress-controller nginx.conf file:

    ## start server my-site.co.uk    server {            server_name my-site.co.uk ;            listen 80;            set $proxy_upstream_name "-";            listen 443  ssl http2;            # PEM sha: ffa288482443e529d72a0984724f79d5267a2a22            ssl_certificate                         /etc/ingress-controller/ssl/default-fake-certificate.pem;            ssl_certificate_key                     /etc/ingress-controller/ssl/default-fake-certificate.pem;            location / {                    <some lines skipped>                    if ($scheme = https) {                            more_set_headers                        "Strict-Transport-Security: max-age=15724800; includeSubDomains";                    }                    <some lines skipped>            }    }           ## end server my-site.co.uk    ## start server my-ssl-site.co.uk    server {            server_name my-ssl-site.co.uk ;            listen 80;            set $proxy_upstream_name "-";            listen 443  ssl http2;            # PEM sha: ffa288482443e529d72a0984724f79d5267a2a22            ssl_certificate                         /etc/ingress-controller/ssl/default-fake-certificate.pem;            ssl_certificate_key                     /etc/ingress-controller/ssl/default-fake-certificate.pem;            location / {                    <some lines skipped>                    if ($scheme = https) {                            more_set_headers                        "Strict-Transport-Security: max-age=15724800; includeSubDomains";                    }                    # enforce ssl on server side                    if ($redirect_to_https) {                            return 308 https://$best_http_host$request_uri;                    }                    <some lines skipped>            }    }        ## end server my-ssl-site.co.uk

You can find additional redirection section in the SSL-enforced site definition:

# enforce ssl on server sideif ($redirect_to_https) {        return 308 https://$best_http_host$request_uri;}