Ingress controller http http redirection on AWS NLB SSL termination

[armanbaghajyan]

What happened:

Environment:
Platform AWS EKS
Load balancer: NLB
SSL termination on NLB

Getting TOO MANY REDIRECTION issue

What you expected to happen:

Http to https redirection and terminate SSL on AWS NLB

NGINX Ingress controller version (exec into the pod and run /nginx-ingress-controller --version):

NGINX Ingress controller
Release: v1.12.0
Build: ba73b2c
Repository: https://github.com/kubernetes/ingress-nginx
nginx version: nginx/1.25.5

---

Kubernetes version (use kubectl version):

Client Version: v1.31.1
Kustomize Version: v5.4.2
Server Version: v1.32.0-eks-5ca49cb

Ingress controller installed via helm

ingress-nginx ingress-nginx-controller 8 2025-02-21 08:16:38.578127717 +0000 UTC deployed ingress-nginx-4.12.0 1.12.0

Values.yaml file

controller:
  replicaCount: 2
  containerPort:
    http: 80
    https: 80
    tohttps: 2443
  config:
    http-snippet: |
      server {
        listen 2443;
        return 308 https://$host$request_uri;
      }
    proxy-real-ip-cidr: "0.0.0.0/0"
    use-forwarded-headers: "true"
  electionID: ingress-controller-leader
  ingressClassResource:
    name: ingress-nginx
    enabled: true
    default: true
    controllerValue: "k8s.io/ingress-nginx"
  service:
    internal:
      enabled: false
      ports:
        http: 80
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-name: "${cluster_name}-internal"
        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
    externalTrafficPolicy: Local
    annotations:
      alb.ingress.kubernetes.io/target-type: instance
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
      service.beta.kubernetes.io/aws-load-balancer-name: "nlb-public"
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "arn:aws:aws-"
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
    loadBalancerSourceRanges:
      - 0.0.0.0/0
    enableHttp: true
    enableHttps: true
    ports:
      https: 443
      http: 80
    targetPorts:
      http: tohttps
      https: http

[longwuyuan]

There is some very precise and very specific work to be done to resolve this issue.

The information is that the static manifest https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.12.0/deploy/static/provider/aws/nlb-with-tls-termination/deploy.yaml has some important differences, compared to specs of this controller's objects, when termination of SSL is on the controller.

Please use helm template and generate the manifests that you have deployed. Compare them to the static manifest I linked above. The differences are revolving around some port numbers and protocols.

/remove-kind bug
/kind support
/triage needs-information

[armanbaghajyan]

In case if someone will look the helm configuration example.
I was able to fix SSL redirection and do SSL termination on AWS NLB using this configuration

ingress-nginx version: 4.12.0
helm version: 1.12.0

controller:
  replicaCount: 2
  containerPort:
    http: 80
    https: 80
    tohttps: 2443
  config:
    http-snippet: |
      server {
        listen 2443;
        return 308 https://$host$request_uri;
      }
    proxy-real-ip-cidr: "XXX.XXX.XXX.XXX/XX" # VPC cidr block
    use-forwarded-headers: "true"
  electionID: ingress-controller-leader
  ingressClassResource:
    name: ingress-nginx
    enabled: true
    default: true
    controllerValue: "k8s.io/${ingress-class-name}"
  service:
    internal:
      enabled: false
      ports:
        http: 80
      annotations:
        service.beta.kubernetes.io/aws-load-balancer-name: "ingress-nginx-internal"
        service.beta.kubernetes.io/aws-load-balancer-scheme: "internal"
    annotations:
      alb.ingress.kubernetes.io/target-type: instance
      service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true"
      service.beta.kubernetes.io/aws-load-balancer-name: "ingress-nginx-public"
      service.beta.kubernetes.io/aws-load-balancer-ssl-cert: "certificate-arn"
      service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
      service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: "60"
      service.beta.kubernetes.io/aws-load-balancer-scheme: internet-facing
      service.beta.kubernetes.io/aws-load-balancer-type: nlb
    loadBalancerSourceRanges:
      - 0.0.0.0/0
    enableHttp: true
    enableHttps: true
    ports:
      https: 443
      http: 80
    targetPorts:
      https: http
      http: tohttps

[github-actions]

This is stale, but we won't close it automatically, just bare in mind the maintainers may be busy with other tasks and will reach your issue ASAP. If you have any question or request to prioritize this, please reach #ingress-nginx-dev on Kubernetes Slack.