When ssl-passthrough is enabled at the same time as proxy-protocol, proxy-proto doesn't work. #10181
Description
What happened:
- I enable proxy protocol and ssl passthrough through helm chart and pass the TLS traffic encapsulated using proxy protocol v2 to the ingress. I didn't test with proxy protocol v1.
values.yaml:
controller:
config:
use-proxy-protocol: "true"
service:
type: ClusterIP
ingressClass: nginx
ingressClassResource:
name: nginx
default: true
controllerValue: k8s.io/ingress-nginx
watchIngressWithoutClass: true
extraArgs:
enable-ssl-passthrough: ""
- Traffic is broken and TLS error is sent to the browser by the load balancer before the ingress-nginx.
- After disabling
enable-ssl-passthrougheverything works as intended. - Plaintext (HTTP) traffic works good whole time (which is expected, as there's no ssl to pass-through).
What you expected to happen:
- TLS traffic when enabled ssl-passthrough and proxy protocol should be compatible with proxy protocol.
What do you think went wrong?
It looks like there's something before nginx when ssl-passthrough is enabled (443 is not bound to nginx, 442 is) and it cannot handle the proxy proto (or at least v2).
NGINX Ingress controller version (exec into the pod and run nginx-ingress-controller --version.):
-------------------------------------------------------------------------------
NGINX Ingress controller
Release: v1.8.1
Build: dc88dce9ea5e700f3301d16f971fa17c6cfe757d
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.21.6
-------------------------------------------------------------------------------
Helm chart v4.7.1.
Kubernetes version (use kubectl version):
Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.2+rke2r1", GitCommit:"7f6f68fdabc4df88cfea2dcf9a19b2b830f1e647", GitTreeState:"clean", BuildDate:"2023-05-18T15:55:31Z", GoVersion:"go1.20.4 X:boringcrypto", Compiler:"gc", Platform:"linux/amd64"}
Environment:
- Cloud provider or hardware configuration: RKE2 (version above)
- OS (e.g. from /etc/os-release):
Ubuntu 22.04.2 LTS - Kernel (e.g.
uname -a):5.15.0-75-lowlatency - Install tools: RKE2, ArgoCD, Helm chart
Please mention how/where was the cluster created like kubeadm/kops/minikube/kind etc.
- Basic cluster related info:
kubectl version- abovekubectl get nodes -o wide:
NAME STATUS ROLES AGE VERSION INTERNAL-IP EXTERNAL-IP OS-IMAGE KERNEL-VERSION CONTAINER-RUNTIME
big-boy Ready control-plane,etcd,master 88d v1.27.2+rke2r1 REDACTED <none> Ubuntu 22.04.2 LTS 5.15.0-75-lowlatency containerd://1.7.1-k3s1
- How was the ingress-nginx-controller installed:
- If helm was used then please show output of
helm ls -A | grep -i ingress- not gonna work with ArgoCD - If helm was used then please show output of
helm -n <ingresscontrollernamepspace> get values <helmreleasename>- already shown above - If helm was not used, then copy/paste the complete precise command used to install the controller, along with the flags and options used
- if you have more than one instance of the ingress-nginx-controller installed in the same cluster, please provide details for all the instances
- If helm was used then please show output of
How to reproduce this issue:
Pass the proxy protocol encapsulated traffic to the TLS port when ssl-passthrough is enabled (helm values above).
Source of the proxy protocol traffic can be eg. haproxy with backend server configured with send-proxy-v2 and pointing to the ingress-nginx. No ingress objects are needed, just plain ingress-nginx and some proxy with proxy protocol sending support.