-
Notifications
You must be signed in to change notification settings - Fork 104
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
Showing
4 changed files
with
453 additions
and
6 deletions.
There are no files selected for viewing
245 changes: 245 additions & 0 deletions
245
site/content/how-to/traffic-management/https-termination.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,245 @@ | ||
| --- | ||
| title: "HTTPS Termination" | ||
| description: "Learn how to terminate HTTPS traffic using NGINX Gateway Fabric." | ||
| weight: 500 | ||
| toc: true | ||
| docs: "DOCS-000" | ||
| --- | ||
|
|
||
| In this guide, we will show how to configure HTTPS termination for your application, using an [HTTPRoute](https://gateway-api.sigs.k8s.io/api-types/httproute/) redirect filter, secret, and [ReferenceGrant](https://gateway-api.sigs.k8s.io/api-types/referencegrant/). | ||
|
|
||
| ## Prerequisites | ||
|
|
||
| - [Install]({{< relref "installation/" >}}) NGINX Gateway Fabric. | ||
| - [Expose NGINX Gateway Fabric]({{< relref "installation/expose-nginx-gateway-fabric.md" >}}) and save the public IP address and port of NGINX Gateway Fabric into shell variables: | ||
|
|
||
| ```text | ||
| GW_IP=XXX.YYY.ZZZ.III | ||
| GW_PORT=<port number> | ||
| ``` | ||
|
|
||
| Save the ports of NGINX Gateway Fabric: | ||
|
|
||
| ```text | ||
| GW_HTTP_PORT=<http port number> | ||
| GW_HTTPS_PORT=<https port number> | ||
| ``` | ||
|
|
||
| {{< note >}}In a production environment, you should have a DNS record for the external IP address that is exposed, and it should refer to the hostname that the gateway will forward for.{{< /note >}} | ||
|
|
||
| ## Set up | ||
|
|
||
| Create the **coffee** application in Kubernetes by copying and pasting the following block into your terminal: | ||
|
|
||
| ```yaml | ||
| kubectl apply -f - <<EOF | ||
| apiVersion: apps/v1 | ||
| kind: Deployment | ||
| metadata: | ||
| name: coffee | ||
| spec: | ||
| replicas: 1 | ||
| selector: | ||
| matchLabels: | ||
| app: coffee | ||
| template: | ||
| metadata: | ||
| labels: | ||
| app: coffee | ||
| spec: | ||
| containers: | ||
| - name: coffee | ||
| image: nginxdemos/nginx-hello:plain-text | ||
| ports: | ||
| - containerPort: 8080 | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Service | ||
| metadata: | ||
| name: coffee | ||
| spec: | ||
| ports: | ||
| - port: 80 | ||
| targetPort: 8080 | ||
| protocol: TCP | ||
| name: http | ||
| selector: | ||
| app: coffee | ||
| EOF | ||
| ``` | ||
|
|
||
| This will create the **coffee** service and a deployment. Run the following command to verify the resources were created: | ||
|
|
||
| ```shell | ||
| kubectl get pods,svc | ||
| ``` | ||
|
|
||
| Your output should include the **coffee** pod and the **coffee** service: | ||
|
|
||
| ```text | ||
| NAME READY STATUS RESTARTS AGE | ||
| pod/coffee-6b8b6d6486-7fc78 1/1 Running 0 40s | ||
| NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE | ||
| service/coffee ClusterIP 10.96.189.37 <none> 80/TCP 40s | ||
| ``` | ||
|
|
||
| ## Configure HTTPS Termination and Routing | ||
|
|
||
| For the HTTPS, we need a certificate and key that are stored in a secret. This secret will live in a separate namespace, so we will need a ReferenceGrant in order to access it. | ||
|
|
||
| To create the **certificate** namespace and secret, copy and paste the following into your terminal: | ||
|
|
||
| ```yaml | ||
| kubectl apply -f - <<EOF | ||
| apiVersion: v1 | ||
| kind: Namespace | ||
| metadata: | ||
| name: certificate | ||
| --- | ||
| apiVersion: v1 | ||
| kind: Secret | ||
| metadata: | ||
| name: cafe-secret | ||
| namespace: certificate | ||
| type: kubernetes.io/tls | ||
| data: | ||
| tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUNzakNDQVpvQ0NRQzdCdVdXdWRtRkNEQU5CZ2txaGtpRzl3MEJBUXNGQURBYk1Sa3dGd1lEVlFRRERCQmoKWVdabExtVjRZVzF3YkdVdVkyOXRNQjRYRFRJeU1EY3hOREl4TlRJek9Wb1hEVEl6TURjeE5ESXhOVEl6T1ZvdwpHekVaTUJjR0ExVUVBd3dRWTJGbVpTNWxlR0Z0Y0d4bExtTnZiVENDQVNJd0RRWUpLb1pJaHZjTkFRRUJCUUFECmdnRVBBRENDQVFvQ2dnRUJBTHFZMnRHNFc5aStFYzJhdnV4Q2prb2tnUUx1ek10U1Rnc1RNaEhuK3ZRUmxIam8KVzFLRnMvQVdlS25UUStyTWVKVWNseis4M3QwRGtyRThwUisxR2NKSE50WlNMb0NEYUlRN0Nhck5nY1daS0o4Qgo1WDNnVS9YeVJHZjI2c1REd2xzU3NkSEQ1U2U3K2Vab3NPcTdHTVF3K25HR2NVZ0VtL1Q1UEMvY05PWE0zZWxGClRPL051MStoMzROVG9BbDNQdTF2QlpMcDNQVERtQ0thaEROV0NWbUJQUWpNNFI4VERsbFhhMHQ5Z1o1MTRSRzUKWHlZWTNtdzZpUzIrR1dYVXllMjFuWVV4UEhZbDV4RHY0c0FXaGRXbElweHlZQlNCRURjczN6QlI2bFF1OWkxZAp0R1k4dGJ3blVmcUVUR3NZdWxzc05qcU95V1VEcFdJelhibHhJZVVDQXdFQUFUQU5CZ2txaGtpRzl3MEJBUXNGCkFBT0NBUUVBcjkrZWJ0U1dzSnhLTGtLZlRkek1ISFhOd2Y5ZXFVbHNtTXZmMGdBdWVKTUpUR215dG1iWjlpbXQKL2RnWlpYVE9hTElHUG9oZ3BpS0l5eVVRZVdGQ2F0NHRxWkNPVWRhbUloOGk0Q1h6QVJYVHNvcUNOenNNLzZMRQphM25XbFZyS2lmZHYrWkxyRi8vblc0VVNvOEoxaCtQeDljY0tpRDZZU0RVUERDRGh1RUtFWXcvbHpoUDJVOXNmCnl6cEJKVGQ4enFyM3paTjNGWWlITmgzYlRhQS82di9jU2lyamNTK1EwQXg4RWpzQzYxRjRVMTc4QzdWNWRCKzQKcmtPTy9QNlA0UFlWNTRZZHMvRjE2WkZJTHFBNENCYnExRExuYWRxamxyN3NPbzl2ZzNnWFNMYXBVVkdtZ2todAp6VlZPWG1mU0Z4OS90MDBHUi95bUdPbERJbWlXMGc9PQotLS0tLUVORCBDRVJUSUZJQ0FURS0tLS0tCg== | ||
| tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUV2UUlCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQktjd2dnU2pBZ0VBQW9JQkFRQzZtTnJSdUZ2WXZoSE4KbXI3c1FvNUtKSUVDN3N6TFVrNExFeklSNS9yMEVaUjQ2RnRTaGJQd0ZuaXAwMFBxekhpVkhKYy92TjdkQTVLeApQS1VmdFJuQ1J6YldVaTZBZzJpRU93bXF6WUhGbVNpZkFlVjk0RlAxOGtSbjl1ckV3OEpiRXJIUncrVW51L25tCmFMRHF1eGpFTVBweGhuRklCSnYwK1R3djNEVGx6TjNwUlV6dnpidGZvZCtEVTZBSmR6N3Rid1dTNmR6MHc1Z2kKbW9RelZnbFpnVDBJek9FZkV3NVpWMnRMZllHZWRlRVJ1VjhtR041c09va3R2aGxsMU1udHRaMkZNVHgySmVjUQo3K0xBRm9YVnBTS2NjbUFVZ1JBM0xOOHdVZXBVTHZZdFhiUm1QTFc4SjFINmhFeHJHTHBiTERZNmpzbGxBNlZpCk0xMjVjU0hsQWdNQkFBRUNnZ0VBQnpaRE50bmVTdWxGdk9HZlFYaHRFWGFKdWZoSzJBenRVVVpEcUNlRUxvekQKWlV6dHdxbkNRNlJLczUyandWNTN4cU9kUU94bTNMbjNvSHdNa2NZcEliWW82MjJ2dUczYnkwaVEzaFlsVHVMVgpqQmZCcS9UUXFlL2NMdngvSkczQWhFNmJxdFRjZFlXeGFmTmY2eUtpR1dzZk11WVVXTWs4MGVJVUxuRmZaZ1pOCklYNTlSOHlqdE9CVm9Sa3hjYTVoMW1ZTDFsSlJNM3ZqVHNHTHFybmpOTjNBdWZ3ZGRpK1VDbGZVL2l0K1EvZkUKV216aFFoTlRpNVFkRWJLVStOTnYvNnYvb2JvandNb25HVVBCdEFTUE05cmxFemIralQ1WHdWQjgvLzRGY3VoSwoyVzNpcjhtNHVlQ1JHSVlrbGxlLzhuQmZ0eVhiVkNocVRyZFBlaGlPM1FLQmdRRGlrR3JTOTc3cjg3Y1JPOCtQClpoeXltNXo4NVIzTHVVbFNTazJiOTI1QlhvakpZL2RRZDVTdFVsSWE4OUZKZnNWc1JRcEhHaTFCYzBMaTY1YjIKazR0cE5xcVFoUmZ1UVh0UG9GYXRuQzlPRnJVTXJXbDVJN0ZFejZnNkNQMVBXMEg5d2hPemFKZUdpZVpNYjlYTQoybDdSSFZOcC9jTDlYbmhNMnN0Q1lua2Iwd0tCZ1FEUzF4K0crakEyUVNtRVFWNXA1RnRONGcyamsyZEFjMEhNClRIQ2tTazFDRjhkR0Z2UWtsWm5ZbUt0dXFYeXNtekJGcnZKdmt2eUhqbUNYYTducXlpajBEdDZtODViN3BGcVAKQWxtajdtbXI3Z1pUeG1ZMXBhRWFLMXY4SDNINGtRNVl3MWdrTWRybVJHcVAvaTBGaDVpaGtSZS9DOUtGTFVkSQpDcnJjTzhkUVp3S0JnSHA1MzRXVWNCMVZibzFlYStIMUxXWlFRUmxsTWlwRFM2TzBqeWZWSmtFb1BZSEJESnp2ClIrdzZLREJ4eFoyWmJsZ05LblV0YlhHSVFZd3lGelhNcFB5SGxNVHpiZkJhYmJLcDFyR2JVT2RCMXpXM09PRkgKcmppb21TUm1YNmxhaDk0SjRHU0lFZ0drNGw1SHhxZ3JGRDZ2UDd4NGRjUktJWFpLZ0w2dVJSSUpBb0dCQU1CVApaL2p5WStRNTBLdEtEZHUrYU9ORW4zaGxUN3hrNXRKN3NBek5rbWdGMU10RXlQUk9Xd1pQVGFJbWpRbk9qbHdpCldCZ2JGcXg0M2ZlQ1Z4ZXJ6V3ZEM0txaWJVbWpCTkNMTGtYeGh3ZEVteFQwVit2NzZGYzgwaTNNYVdSNnZZR08KditwVVovL0F6UXdJcWZ6dlVmV2ZxdStrMHlhVXhQOGNlcFBIRyt0bEFvR0FmQUtVVWhqeFU0Ym5vVzVwVUhKegpwWWZXZXZ5TW54NWZyT2VsSmRmNzlvNGMvMHhVSjh1eFBFWDFkRmNrZW96dHNpaVFTNkN6MENRY09XVWxtSkRwCnVrdERvVzM3VmNSQU1BVjY3NlgxQVZlM0UwNm5aL2g2Tkd4Z28rT042Q3pwL0lkMkJPUm9IMFAxa2RjY1NLT3kKMUtFZlNnb1B0c1N1eEpBZXdUZmxDMXc9Ci0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0K | ||
| EOF | ||
| ``` | ||
|
|
||
| To create the **access-to-cafe-secret** referencegrant, copy and paste the following into your terminal: | ||
|
|
||
| ```yaml | ||
| kubectl apply -f - <<EOF | ||
| apiVersion: gateway.networking.k8s.io/v1beta1 | ||
| kind: ReferenceGrant | ||
| metadata: | ||
| name: access-to-cafe-secret | ||
| namespace: certificate | ||
| spec: | ||
| to: | ||
| - group: "" | ||
| kind: Secret | ||
| name: cafe-secret # if you omit this name, then Gateways in default namespace can access all Secrets in the certificate namespace | ||
| from: | ||
| - group: gateway.networking.k8s.io | ||
| kind: Gateway | ||
| namespace: default | ||
| EOF | ||
| ``` | ||
|
|
||
| To create the **cafe** gateway, copy and paste the following into your terminal: | ||
|
|
||
| ```yaml | ||
| kubectl apply -f - <<EOF | ||
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: Gateway | ||
| metadata: | ||
| name: cafe | ||
| spec: | ||
| gatewayClassName: nginx | ||
| listeners: | ||
| - name: http | ||
| port: 80 | ||
| protocol: HTTP | ||
| - name: https | ||
| port: 443 | ||
| protocol: HTTPS | ||
| tls: | ||
| mode: Terminate | ||
| certificateRefs: | ||
| - kind: Secret | ||
| name: cafe-secret | ||
| namespace: certificate | ||
| EOF | ||
| ``` | ||
|
|
||
| This gateway configures: | ||
|
|
||
| - `http` listener for HTTP traffic | ||
| - `https` listener for HTTPS traffic. It terminates TLS connections using the `cafe-secret` we created. | ||
|
|
||
| To create the httproute resources, copy and paste the following into your terminal: | ||
|
|
||
| ```yaml | ||
| kubectl apply -f - <<EOF | ||
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: HTTPRoute | ||
| metadata: | ||
| name: cafe-tls-redirect | ||
| spec: | ||
| parentRefs: | ||
| - name: cafe | ||
| sectionName: http | ||
| hostnames: | ||
| - "cafe.example.com" | ||
| rules: | ||
| - filters: | ||
| - type: RequestRedirect | ||
| requestRedirect: | ||
| scheme: https | ||
| port: 443 | ||
| --- | ||
| apiVersion: gateway.networking.k8s.io/v1 | ||
| kind: HTTPRoute | ||
| metadata: | ||
| name: coffee | ||
| spec: | ||
| parentRefs: | ||
| - name: cafe | ||
| sectionName: https | ||
| hostnames: | ||
| - "cafe.example.com" | ||
| rules: | ||
| - matches: | ||
| - path: | ||
| type: PathPrefix | ||
| value: /coffee | ||
| backendRefs: | ||
| - name: coffee | ||
| port: 80 | ||
| EOF | ||
| ``` | ||
|
|
||
| The first route issues a `requestRedirect` from the `http` listener on port 80 to `https` on port 443. The second route binds the `coffee` route to the `https` listener. | ||
|
|
||
| ## Send Traffic | ||
|
|
||
| Using the external IP address and port for NGINX Gateway Fabric, we can send traffic to our coffee application. | ||
|
|
||
| {{< note >}}If you have a DNS record allocated for `cafe.example.com`, you can send the request directly to that hostname, without needing to resolve.{{< /note >}} | ||
|
|
||
| To test that NGINX sends an HTTPS redirect, we will send requests to the `coffee` service on the HTTP port. We | ||
| will use curl's `--include` option to print the response headers (we are interested in the `Location` header). | ||
|
|
||
| ```shell | ||
| curl --resolve cafe.example.com:$GW_HTTP_PORT:$GW_IP http://cafe.example.com:$GW_HTTP_PORT/coffee --include | ||
| ``` | ||
|
|
||
| ```text | ||
| HTTP/1.1 302 Moved Temporarily | ||
| ... | ||
| Location: https://cafe.example.com/coffee | ||
| ... | ||
| ``` | ||
|
|
||
| Now we will access the application over HTTPS. Since our certificate is self-signed, we will use curl's `--insecure` | ||
| option to turn off certificate verification. | ||
|
|
||
| ```shell | ||
| curl --resolve cafe.example.com:$GW_HTTPS_PORT:$GW_IP https://cafe.example.com:$GW_HTTPS_PORT/coffee --insecure | ||
| ``` | ||
|
|
||
| ```text | ||
| Server address: 10.244.0.6:80 | ||
| Server name: coffee-6b8b6d6486-7fc78 | ||
| ``` | ||
|
|
||
| ## Further Reading | ||
|
|
||
| To learn more about redirects using the Gateway API, see the following resource: | ||
|
|
||
| - [Gateway API Redirects](https://gateway-api.sigs.k8s.io/guides/http-redirect-rewrite/) |
Oops, something went wrong.