Exclude specific hosts from ssl redirect in Kubernetes Nginx Ingress
You can create two Ingress objects, one for each site in the same namespace.
Use annotation nginx.ingress.kubernetes.io/ssl-redirect: "true"
for SSL site
Use annotation nginx.ingress.kubernetes.io/ssl-redirect: "false"
for Non-SSL site
apiVersion: extensions/v1beta1kind: Ingressmetadata: name: cmac-ingress namespace: ns1 annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "true"spec: tls: - hosts: - my-ssl-site.co.uk secretName: testsecret-tls rules: - host: my-ssl-site.co.uk http: paths: - path: / backend: serviceName: my-service servicePort: 80---apiVersion: extensions/v1beta1kind: Ingressmetadata: name: cmac-ingress1 namespace: ns1 annotations: kubernetes.io/ingress.class: nginx nginx.ingress.kubernetes.io/ssl-redirect: "false"spec: tls: - hosts: - my-site.co.uk secretName: testsecret-tls rules: - host: my-site.co.uk http: paths: - path: / backend: serviceName: my-service servicePort: 80
Here is the result from ingress-controller nginx.conf
file:
## start server my-site.co.uk server { server_name my-site.co.uk ; listen 80; set $proxy_upstream_name "-"; listen 443 ssl http2; # PEM sha: ffa288482443e529d72a0984724f79d5267a2a22 ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem; ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem; location / { <some lines skipped> if ($scheme = https) { more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains"; } <some lines skipped> } } ## end server my-site.co.uk ## start server my-ssl-site.co.uk server { server_name my-ssl-site.co.uk ; listen 80; set $proxy_upstream_name "-"; listen 443 ssl http2; # PEM sha: ffa288482443e529d72a0984724f79d5267a2a22 ssl_certificate /etc/ingress-controller/ssl/default-fake-certificate.pem; ssl_certificate_key /etc/ingress-controller/ssl/default-fake-certificate.pem; location / { <some lines skipped> if ($scheme = https) { more_set_headers "Strict-Transport-Security: max-age=15724800; includeSubDomains"; } # enforce ssl on server side if ($redirect_to_https) { return 308 https://$best_http_host$request_uri; } <some lines skipped> } } ## end server my-ssl-site.co.uk
You can find additional redirection section in the SSL-enforced site definition:
# enforce ssl on server sideif ($redirect_to_https) { return 308 https://$best_http_host$request_uri;}