Closed mqliang closed 7 years ago
cc @ddysher @superxi911
@mqliang looks like you have a network issue, not related to ingress.
Just to certify if nginx is correctly exposing the port 443, run the curl command inside the container and paste the output.
$ kubectl exec -ti nginx-ingress-controller-q7m97 bash
root@ hosts:/# curl localhost:80
curl: (52) Empty reply from server
root@hosts:/# curl localhost:443
curl: (56) Recv failure: Connection reset by peer
root@ hosts:/#
Also your service is just exposing the 80 port, you should add port 443.
[root@c1v41 ~]# kubectl get svc echoheaders-x
NAME CLUSTER-IP EXTERNAL-IP PORT(S) AGE
echoheaders-x 10.254.31.223 <none> 80/TCP 19h
@gianrubio
nginx does correctly exposing 443.
#
#
# curl localhost:80
<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
<title>page not found</title>
</head>
<body>
<h1>Page Not Found</h1>
</body>
</html>
# curl localhost:443
<html>
<head><title>400 The plain HTTP request was sent to HTTPS port</title></head>
<body bgcolor="white">
<center><h1>400 Bad Request</h1></center>
<center>The plain HTTP request was sent to HTTPS port</center>
<hr><center>nginx/1.11.10</center>
</body>
</html>
#
# curl https://127.0.0.1 -H 'Host:foo.bar.com' -k -v
* Rebuilt URL to: https://127.0.0.1/
* Trying 127.0.0.1...
* connect to 127.0.0.1 port 443 failed: Connection refused
* Failed to connect to 127.0.0.1 port 443: Connection refused
* Closing connection 0
curl: (7) Failed to connect to 127.0.0.1 port 443: Connection refused
Seenetstat
output:
# netstat -lnp | grep 443
tcp6 0 0 :::443 :::* LISTEN 14/nginx.conf
tcp6 0 0 :::443 :::* LISTEN 14/nginx.conf
tcp6 0 0 :::443 :::* LISTEN 14/nginx.conf
tcp6 0 0 :::443 :::* LISTEN 14/nginx.conf
# ps -ef
UID PID PPID C STIME TTY TIME CMD
root 1 0 0 Mar08 ? 00:00:00 /sbin/dumb-init -- /nginx-ingress-controller --default-backend-service=default/default-http-backend
root 6 1 1 Mar08 ? 00:20:13 /nginx-ingress-controller --default-backend-service=default/default-http-backend
root 14 6 0 Mar08 ? 00:00:00 nginx: master process /usr/sbin/nginx -c /etc/nginx/nginx.conf
root 6665 0 0 09:20 ? 00:00:00 sh
root 7402 6665 0 09:33 ? 00:00:00 ps -ef
root 27253 0 0 02:18 ? 00:00:00 sh
nobody 30617 14 0 03:31 ? 00:00:00 nginx: worker process
nobody 30618 14 0 03:31 ? 00:00:00 nginx: worker process
nobody 30619 14 0 03:31 ? 00:00:00 nginx: worker process
nobody 30620 14 0 03:31 ? 00:00:00 nginx: worker process
@gianrubio It's very strange that curl 127.0.0.1:443
succeeded but curl https://127.0.0.1
was "connection refused".
Also your service is just exposing the 80 port, you should add port 443.
It's not a big problem, sine Ingress rule is
rules:
- host: foo.bar.com
http:
paths:
- backend:
serviceName: echoheaders-x
servicePort: 80
path: /
So, nginx will terminate the https and forward request to the 80 port of backend service
@mqliang I got the issue, your listen port 443 it's just listening on ipv6. The master branch include a fix to this, the flag is ipv6only=off
so the right listen for the default server is
listen [::]:443 default_server ipv6only=off reuseport backlog=511 ssl http2;
What ingress version are you running? Could you build a custom ingress, pointing to the master branch?
@gianrubio It works after build the latest master branch. Great thanks and close this.
Still have the same problem in release 0.9.0.beta.15
@aledbf
I deploy nginx-ingress-controller and use TLS termination to secure an Ingress as this tutorial does. Howe, https connection was refused by nginx-ingress controller:
Ingress yaml is as follows:
Can access through service IP
Can not access through Ingress: Connection refused
nginx config:
kubectl exec -it sh
into nginx-ingress-controller Pod andcat /etc/nginx/nginx.conf
: