Kong Ingress proxy-ssl sending "The plain HTTP request was sent to HTTPS port"

Kubernetes
1

Hello,

I’m trying to get the kong ingress working in Kubernetes and I’m encountering this peculiarity with the db-less Kubernetes-only config.

We’re exposing nodePort 30256 as follows:

apiVersion: v1
kind: Service
metadata:
annotations:
name: kong-proxy
namespace: kong4k8s
spec:
ports:

  • name: proxy
    port: 80
    protocol: TCP
    targetPort: 8000
    nodePort: 30264
  • name: proxy-ssl
    port: 443
    protocol: TCP
    targetPort: 8443
    nodePort: 30265
    selector:
    app: ingress-kong
    type: NodePort

When I do this, I get an error going to any URL being serviced by this ingress:
400 Bad Request
The plain HTTP request was sent to HTTPS port

When I switch the 30265 nodePort to the non-ssl proxy as such:

apiVersion: v1
kind: Service
metadata:
annotations:
name: kong-proxy
namespace: kong4k8s
spec:
ports:

  • name: proxy
    port: 80
    protocol: TCP
    targetPort: 8000
    nodePort: 30265
  • name: proxy-ssl
    port: 443
    protocol: TCP
    targetPort: 8443
    nodePort: 30264
    selector:
    app: ingress-kong
    type: NodePort

My webpages start loading correctly again. HOWEVER, it still seems like internally they’re being non-http somehow? I know this because I have an app that dumps all headers, and the X-Forwarded-Port is 80. I also see redirect_uri’s reflecting “http” URLs.

I am hitting my app on https via my browser all the time, so I don’t know where the non-https thing lies in this whole flow. My suspicions are it’s to do with the “proxy” vs “proxy-ssl” in my config. I’d suspect I want “proxy-ssl” to be the thing servicing the nodePort of 30265, but like I said, when I do, I get the 400 error.

What am I doing wrong here, aside from choosing IT as a career path?

2

Are you seeing the 400 directly from Kong, or from upstream? If you send a request to the HTTPS NodePort for some path that doesn’t actually match an Ingress rule, you’ll get a 404 if that 400 error isn’t coming from Kong directly.

If you do see a 404 with an unmatched request, you likely need to set a konghq.com/protocol: https annotation on the Services that back your Ingress resources. K8S Services don’t provide metadata that indicates whether a port is serving HTTP or HTTPS, so we have to choose a default arbitrarily, and use the standard Kong default (http).

3

Thanks for the reply!

When I hit a valid url, I get “The plain HTTP request was sent to HTTPS port”. This is even after I implemented the suggestion to add the annotation for “konghq.com/protocol: https” to my Services backing the ingress. When I hit it via IP address (best I can do to get an invalid URL but still go through our load balancer) I get {“message”:“no Route matched with those values”}

When I use “openssl s_client -connect 10.x.x.x:30265” to test SSL certificates, I get valid SSL data returned.

I’m kinda stumped here. Appreciate folks taking a look and helping.

4

We did some further digging and it turns out our F5 load balancer VIP was missing “SSL profile (server)” config. After we adjusted it, kong works correctly now.

Thanks again for taking a look.