.

2026-03-12 15:56:44 +00:00
parent 1deac037da
commit b32393c9de
2 changed files with 20 additions and 9 deletions
--- a/ingress-external-devices/coreswitch.yaml
+++ b/ingress-external-devices/coreswitch.yaml
@@ -30,7 +30,17 @@ metadata:
    kubernetes.io/ingress.class: nginx
    cert-manager.io/cluster-issuer: letsencrypt
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
-    nginx.ingress.kubernetes.io/ssl-redirect: "false"
+
+    # keep browser on HTTPS
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header Host $host;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_set_header X-Forwarded-Port 443;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 spec:
  tls:
  - hosts: [coreswitch.apps.undercloud.dev]
--- a/ingress-external-devices/firewall.yaml
+++ b/ingress-external-devices/firewall.yaml
@@ -35,17 +35,18 @@ metadata:
    nginx.ingress.kubernetes.io/proxy-ssl-name: "firewall.undercloud.local"
    nginx.ingress.kubernetes.io/proxy-ssl-verify: "false"

-    # rewrite absolute redirects and cookies from Sophos
    nginx.ingress.kubernetes.io/proxy-redirect-from: "https://firewall.undercloud.local:4444/"
    nginx.ingress.kubernetes.io/proxy-redirect-to: "https://firewall-admin.apps.undercloud.dev/"
    nginx.ingress.kubernetes.io/proxy-cookie-domain: "firewall.undercloud.local firewall-admin.apps.undercloud.dev"
+    nginx.ingress.kubernetes.io/proxy-cookie-path: "/ /"

-    # long polls/websockets tolerance
-    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
-    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
-
-    # optional: lock down by source IP(s)
-    # nginx.ingress.kubernetes.io/whitelist-source-range: "<your-IP>/32"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      proxy_set_header Host firewall.undercloud.local;
+      proxy_set_header X-Forwarded-Host $host;
+      proxy_set_header X-Forwarded-Proto https;
+      proxy_set_header X-Forwarded-Port 443;
+      proxy_set_header X-Real-IP $remote_addr;
+      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 spec:
  tls:
  - hosts: [firewall-admin.apps.undercloud.dev]