To provide the most secure baseline configuration possible, This is required to enable passthrough backends in Ingress objects.ĪpiVersion : /v1 kind : Ingress metadata : name : ingress-demo annotations : cert-manager.io/issuer : "letsencrypt-staging" # Replace this with a production issuer once you've tested it spec : tls : - hosts : - secretName : ingress-demo-tls Default TLS Version and Ciphers ¶ The -enable-ssl-passthrough flag enables the SSL Passthrough feature, which is disabled by default. To force redirects for Ingresses that do not specify a TLS-block at all, take a look at force-ssl-redirect in ConfigMap. The default certificate will also be used for ingress tls: sections that do not have a secretName option. If this flag is not provided NGINX will use a self-signed certificate.įor instance, if you have a TLS secret foo-tls in the default namespace, add -default-ssl-certificate=default/foo-tls in the nginx-controller deployment. The secret referred to by this flag contains the default certificate to be used when accessing the catch-all server. For HTTPS, a certificate is naturally required.įor this reason the Ingress controller provides the flag -default-ssl-certificate. This configuration works out-of-the-box for HTTP traffic. NGINX provides the option to configure a server as a catch-all with server_name for requests that do not match any of the configured server names. Host names ¶Įnsure that the relevant ingress rules specify a matching host name. The resulting secret will be of type kubernetes.io/tls. Custom DH parameters for perfect forward secrecy.Automated Certificate Management with cert-manager.Server-side HTTPS enforcement through redirect.NGINX Configuration NGINX Configuration.
0 kommentar(er)
