From 5c8522cdab35b5541ea3d3108c6ee2826fd2eb20 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Doma=C5=84ski?= Date: Fri, 6 Dec 2019 11:40:04 +0100 Subject: [PATCH 1/2] apply default certificate again in cases of invalid or incomplete cert config MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Kamil DomaƄski --- internal/ingress/controller/controller.go | 3 +++ internal/ingress/controller/template/template.go | 6 ------ 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/internal/ingress/controller/controller.go b/internal/ingress/controller/controller.go index 13d484d96d..48a60424c6 100644 --- a/internal/ingress/controller/controller.go +++ b/internal/ingress/controller/controller.go @@ -1115,6 +1115,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, tlsSecretName := extractTLSSecretName(host, ing, n.store.GetLocalSSLCert) if tlsSecretName == "" { klog.V(3).Infof("Host %q is listed in the TLS section but secretName is empty. Using default certificate.", host) + servers[host].SSLCert = n.getDefaultSSLCertificate() continue } @@ -1122,6 +1123,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, cert, err := n.store.GetLocalSSLCert(secrKey) if err != nil { klog.Warningf("Error getting SSL certificate %q: %v. Using default certificate", secrKey, err) + servers[host].SSLCert = n.getDefaultSSLCertificate() continue } @@ -1136,6 +1138,7 @@ func (n *NGINXController) createServers(data []*ingress.Ingress, klog.Warningf("SSL certificate %q does not contain a Common Name or Subject Alternative Name for server %q: %v", secrKey, host, err) klog.Warningf("Using default certificate") + servers[host].SSLCert = n.getDefaultSSLCertificate() continue } } diff --git a/internal/ingress/controller/template/template.go b/internal/ingress/controller/template/template.go index 2d671250a6..85f9eae5f0 100644 --- a/internal/ingress/controller/template/template.go +++ b/internal/ingress/controller/template/template.go @@ -1155,12 +1155,6 @@ func buildHTTPSListener(t interface{}, s interface{}) string { return "" } - /* - if server.SSLCert == nil && server.Hostname != "_" { - return "" - } - */ - co := commonListenOptions(tc, hostname) addrV4 := []string{""} From 16b5ad3c09bcb3dad9aa311a8ca8eccf16716c9a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Kamil=20Doma=C5=84ski?= Date: Mon, 9 Dec 2019 14:33:20 +0100 Subject: [PATCH 2/2] add e2e test for HTTP->HTTPS redirection --- test/e2e/ssl/http_redirect.go | 71 +++++++++++++++++++++++++++++++++++ 1 file changed, 71 insertions(+) create mode 100644 test/e2e/ssl/http_redirect.go diff --git a/test/e2e/ssl/http_redirect.go b/test/e2e/ssl/http_redirect.go new file mode 100644 index 0000000000..5f26284e91 --- /dev/null +++ b/test/e2e/ssl/http_redirect.go @@ -0,0 +1,71 @@ +/* +Copyright 2019 The Kubernetes Authors. + +Licensed under the Apache License, Version 2.0 (the "License"); +you may not use this file except in compliance with the License. +You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + +Unless required by applicable law or agreed to in writing, software +distributed under the License is distributed on an "AS IS" BASIS, +WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +See the License for the specific language governing permissions and +limitations under the License. +*/ + +package ssl + +import ( + "net/http" + "strings" + + . "github.com/onsi/ginkgo" + . "github.com/onsi/gomega" + "github.com/parnurzeal/gorequest" + + "k8s.io/ingress-nginx/test/e2e/framework" +) + +var _ = framework.IngressNginxDescribe("sslredirect", func() { + f := framework.NewDefaultFramework("sslredirect") + + BeforeEach(func() { + f.NewEchoDeployment() + }) + + AfterEach(func() { + }) + + It("should redirect from HTTP to HTTPS when secret is missing", func() { + host := "redirect.com" + + _ = f.EnsureIngress(framework.NewSingleIngressWithTLS(host, "/", host, []string{host}, f.Namespace, framework.EchoService, 80, nil)) + + f.WaitForNginxServer(host, + func(server string) bool { + return strings.Contains(server, "server_name redirect.com") && + strings.Contains(server, "listen 443") && + strings.Contains(server, "listen 80") + }) + + log, err := f.NginxLogs() + Expect(err).ToNot(HaveOccurred()) + Expect(log).ToNot(BeEmpty()) + + resp, _, errs := gorequest.New(). + Get(f.GetURL(framework.HTTP)). + Set("Host", host). + RedirectPolicy(func(_ gorequest.Request, _ []gorequest.Request) error { + return http.ErrUseLastResponse + }). + End() + + Expect(errs).Should(BeEmpty()) + Expect(resp.StatusCode).Should(Equal(http.StatusPermanentRedirect)) + + location, err := (*http.Response)(resp).Location() + Expect(err).Should(BeNil()) + Expect(location.String()).Should(Equal("https://redirect.com/")) + }) +})