Support passthrough and reencrypt at the same time #755
Description
Kubernetes ingress controller 3.1.14
Server Version: v1.33.5
Sometimes, we need to configure ssl-passthrough (passthrough) and server-ssl + tls (reencrypt) for the same backend. It seems both rules are incompatible, giving some mistic response.
How to test it: Create a secured endpoint (in our case, an nginx sample).
Using ONLY the passthrough ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-passthrough
namespace: haproxy-controller
labels:
app: nginx-ssl
annotations:
haproxy.org/ssl-passthrough: "true"
spec:
ingressClassName: haproxy
tls:
- hosts:
- nginx-passthrough.example.com
rules:
- host: nginx-passthrough.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-ssl
port:
number: 443curl shows a right negotiation with the backend cert:
curl -v https://nginx-passthrough.example.com:20443/
* Host nginx-passthrough.apps.example.com:20443 was resolved.
* IPv6: (none)
* IPv4: 10.37.233.41
* Trying 10.37.233.41:20443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / X25519MLKEM768 / RSASSA-PSS
* ALPN: server accepted http/1.1
* Server certificate:
* subject:
* start date: Dec 10 12:38:46 2025 GMT
* expire date: Mar 10 12:38:46 2026 GMT
* subjectAltName: host "nginx-passthrough.example.com" matched cert's "nginx-passthrough.example.com"
* issuer: C=US; L=Ohio; O=example.com; CN=mainCA; [email protected]
* SSL certificate verify ok.Using ONLY reencrypt ingress:
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nginx-reencrypt
namespace: haproxy-controller
labels:
app: nginx-ssl
annotations:
haproxy.org/server-ssl: "true"
spec:
ingressClassName: haproxy
tls:
- hosts:
- nginx-reencrypt.example.com
# No secretName = use HAProxy's default certificate
rules:
- host: nginx-reencrypt.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nginx-ssl
port:
number: 443curl shows the right frontend SSL negotiation (see the wildcard cert for haproxy):
curl -v https://nginx-reencrypt.example.com:20443/
* Host nginx-reencrypt.example.com:20443 was resolved.
* IPv6: (none)
* IPv4: 10.37.233.41
* Trying 10.37.233.41:20443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384 / x25519 / RSASSA-PSS
* ALPN: server accepted h2
* Server certificate:
* subject: O=Org Name; CN=*.example.com
* start date: Dec 9 10:55:03 2025 GMT
* expire date: Mar 9 10:55:03 2026 GMT
* subjectAltName: host "nginx-reencrypt.example.com" matched cert's "*.example.com"
* issuer: C=US; L=Ohio; O=example.com; CN=mainCA; [email protected]
* SSL certificate verify ok.
But if both ingresses are set up at the same time, the reencrypt ingress works as previously, but not the passthrough is screwed:
curl -v https://nginx-passthrough.example.com:20443/
* Host nginx-passthrough.example:20443 was resolved.
* IPv6: (none)
* IPv4: 10.37.233.41
* Trying 10.37.233.41:20443...
* ALPN: curl offers h2,http/1.1
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* CAfile: /etc/pki/ca-trust/extracted/pem/tls-ca-bundle.pem
* CApath: none
* TLS connect error: error:0A00010B:SSL routines::wrong version number
* closing connection #0
curl: (35) TLS connect error: error:0A00010B:SSL routines::wrong version number