Description
Describe the bug
There are 2 services: foo.example.com and bar.example.com under wildcard certificate *.example.com and Gateway with TLS termination:
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: gateway
spec:
gatewayClassName: nginx
listeners:
- name: http
port: 80
protocol: HTTP
hostname: *.example.com
allowedRoutes:
namespaces:
from: All - name: https
port: 443
protocol: HTTPS
hostname: *.example.com
allowedRoutes:
namespaces:
from: All
tls:
mode: Terminate
certificateRefs:- kind: Secret
name: {{ .Values.tlsTerminationSecret }}
- kind: Secret
For each service created two HTTPRoute manifests. The first for redirect to https and the second for http connection to service:
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: https
spec:
parentRefs:
- name: gateway
sectionName: https
hostnames: - foo.example.com
rules: - backendRefs:
- name: foo
port: 80
- name: foo
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: http
spec:
parentRefs:
- name: gateway
sectionName: http
hostnames: - foo.example.com
rules: - filters:
- type: RequestRedirect
requestRedirect:
scheme: https
port: 443
- type: RequestRedirect
NginxGatewayFabric automatically adds the configuration block to server:
if ($ssl_server_name != $host) {
return 421;
}
While redirect from foo.example.com to bar.example.com, IOS browser tries to reuse TLS connection with $host = bar.example.com but $server_name = foo.example.com and returns 421 Mismatch Redirect.
To Reproduce
Steps to reproduce the behavior:
- Create gateway resource as shown above
- Create HTTPRoutes as shown above
Expected behavior
Nginx Gateway Fabric allows to disable block
if ($ssl_server_name != $host) {
return 421;
}
Your environment
- Version of the NGINX Gateway Fabric - 1.5.1
- Version of Kubernetes - 1.30.10
- Kubernetes platform Bare Metal
Metadata
Metadata
Assignees
Labels
Type
Projects
Status