Skip to content

HTTPS Termination #140

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 42 commits into from
Jul 27, 2022
Merged

HTTPS Termination #140

merged 42 commits into from
Jul 27, 2022

Conversation

kate-osborn
Copy link
Contributor

This commit adds support for HTTPS listeners with a TLS mode of Terminate.
Multiple HTTPS listeners are supported provided their hostnames do not conflict.
Additionally, a gateway can have an HTTP and HTTPS listener with the same
hostname.

Limitations:

  • HTTPS listeners must listen on port 443
  • Supports a single reference to a Kubernetes Secret of type kubernetes.io/tls
  • Secret must be in the same namespace as the Gateway
  • Secret must be created before the HTTPRoutes are created
  • Secret rotation is not supported

Checklist

  • I have read the CONTRIBUTING doc
  • I have added tests that prove my fix is effective or that my feature works
  • I have checked that all unit tests pass after adding my changes
  • I have updated necessary documentation
  • I have rebased my branch onto main
  • I will ensure my PR is targeting the main branch and pulling from my branch from my own fork

kate-osborn
kate-osborn commented Jul 12, 2022
View reviewed changes
pleshakov
pleshakov suggested changes Jul 14, 2022
View reviewed changes
Copy link
Contributor

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @kate-osborn Please see my review

Kate Osborn added 26 commits July 18, 2022 17:40
HTTPS Termination
24664f1 
This commit adds support for HTTPS listeners with a TLS mode of Terminate.
Multiple HTTPS listeners are supported provided their hostnames do not conflict.
Additionally, a gateway can have an HTTP and HTTPS listener with the same
hostname.

Limitations:
- HTTPS listeners must listen on port 443
- Supports a single reference to a Kubernetes Secret of type kubernetes.io/tls
- Secret must be in the same namespace as the Gateway
- Secret must be created before the HTTPRoutes are created
- Secret rotation is not supported
Add nolint for test certs
e33be3a
Another nolint
514c63f
Last nolint
79b1daa
Lint warning fixes
23f91c8
Add event loop config object
62fdc19
Const block
365abb3
Add listener file to state package
209288d
Fix secret filepath
fa85921
Remove ignored namespaces
8da6df2
Fix len comparison
374a6ec
Indent if/else/end block in template
d4bcc0a
rules -> rulesPerHost
e8a5194
secretCache -> secretStore
643129b
SecretMemoryManager -> SecretDiskMemoryManager
1f1bdbf
store -> request
ed16702
Do not use default server secret
5a9c672
Fix test httproute names
57a81dd
Don't configure invalid listeners
64b8222
collision -> collisions
4b6b9ad
validateHTTPSListener
bfb6c7b
Fix up secrets tests and rename WriteAllStoredSecrets to WriteAllRequ…
8bfd551 
…estedSecrets
Generate default http server
7c34024
HTTPServer -> VirtualServer and HTTPSServers -> SSLServers
445974e
Fix missing semicolon
3d1d472
Change ns of gateway in example
84adfd0
@kate-osborn kate-osborn requested a review from pleshakov July 19, 2022 18:31
pleshakov
pleshakov suggested changes Jul 20, 2022
View reviewed changes
Copy link
Contributor

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

hi @kate-osborn
a few more suggestions and questions based on the new code

@kate-osborn kate-osborn requested a review from pleshakov July 21, 2022 17:47
pleshakov
pleshakov reviewed Jul 22, 2022
View reviewed changes
Copy link
Contributor

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

a few more comments/suggestions

pleshakov
pleshakov approved these changes Jul 27, 2022
View reviewed changes
Copy link
Contributor

@pleshakov pleshakov left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

👍

@kate-osborn kate-osborn merged commit 1e4b4d2 into nginx:main Jul 27, 2022
@lucacome lucacome added the enhancement New feature or request label Aug 19, 2022
miledxz added a commit to miledxz/nginx-gateway-fabric that referenced this pull request Jan 14, 2025
@miledxz
HTTPS Termination (nginx#140)
f533c30 
* HTTPS Termination

This commit adds support for HTTPS listeners with a TLS mode of Terminate.
Multiple HTTPS listeners are supported provided their hostnames do not conflict.
Additionally, a gateway can have an HTTP and HTTPS listener with the same
hostname.

Limitations:
- HTTPS listeners must listen on port 443
- Supports a single reference to a Kubernetes Secret of type kubernetes.io/tls
- Secret must be in the same namespace as the Gateway
- Secret must be created before the HTTPRoutes are created
- Secret rotation is not supported
- SNI enforcement is not implemented
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pleshakov pleshakov pleshakov approved these changes

@f5yacobucci f5yacobucci Awaiting requested review from f5yacobucci

Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@kate-osborn @pleshakov @lucacome