Skip to content

NGINX reverse proxy to Ingress

A standard architecture for exposing Kubernetes services involves placing an external [[NGINX]] reverse proxy in front of the Ingress Controller^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md]. This setup allows a single entry point to route traffic for multiple subdomains to the appropriate backend services within the cluster^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md].

Configuration

To implement this, an NGINX configuration block is defined on the external proxy host (e.g., hdss7-12). This configuration specifies an upstream block pointing to the NodePorts of the Ingress Controller and a server block to handle the routing^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md].

Upstream Configuration

The upstream block defines the pool of backend servers, which in this case are the Kubernetes nodes hosting the Ingress Controller service^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md]. The configuration typically uses the Ingress Controller's NodePort (e.g., 30035) and includes parameters for health checks and failover^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md].

upstream default_backend_nginx {
    server 10.4.7.21:30035    max_fails=3 fail_timeout=10s;
    server 10.4.7.22:30035    max_fails=3 fail_timeout=10s;
}

Server Block

The server block listens for requests destined for the specific domain and proxies them to the defined upstream group^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md].

server {
    server_name *.od.com;

    location / {
        proxy_pass http://default_backend_nginx;
        proxy_set_header Host  $http_host;
        proxy_set_header x-forwarded-for $proxy_add_x_forwarded_for;
    }
}

The proxy_set_header directives are crucial for preserving the original Host header and the client's IP address, ensuring the Ingress Controller can correctly route requests and log accurate client information^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md].

DNS Resolution

For the routing to function, a wildcard DNS record (e.g., *.od.com) must be configured to resolve to the IP address of the external NGINX reverse proxy^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md]. This allows any subdomain matching the pattern to be routed through the proxy to the cluster^[400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md].

Sources

  • 400-devops-06-kubernetes-k8s-learning-linux-02-ingress-readme.md