Configure SSL passthrough using Kubernetes Ingress¶
SSL passthrough feature allows you to pass incoming security sockets layer (SSL) requests directly to a server for decryption rather than decrypting the request using a load balancer. SSL passthrough is widely used for web application security and it uses the TCP mode to pass encrypted data to servers.
The proxy SSL passthrough configuration does not require the installation of an SSL certificate on the load balancer. SSL certificates are installed on the back end server as they handle the SSL connection instead of the load balancer.
The following diagram explains the SSL passthrough feature.
As shown in this diagram, SSL traffic is not terminated at the Citrix ADC and SSL traffic is passed through the Citrix ADC to the back end server. SSL certificate at the back end server is used for the SSL handshake.
The Citrix ingress controller provides the following Ingress annotation that you can use to enable SSL passthrough on the Ingress Citrix ADC:
The default value of the annotation is
SSL passthrough is enabled for all services or host names provided in the Ingress definition. SSL passthrough uses host name (wildcard host name is also supported) and ignores paths given in Ingress.
Note: The Citrix ingress controller does not support SSL passthrough for non-hostname based Ingress. Also, SSL passthrough is not valid for default back end Ingress.
To configure SSL passthrough on the Ingress Citrix ADC, you must define the
ingress.citrix.com/ssl-passthrough: as shown in the following sample Ingress definition. You must also enable TLS for the host as shown in the example.
apiVersion: networking.k8s.io/v1beta1 kind: Ingress metadata: name: hotdrinks-ingress annotations: ingress.citrix.com/frontend-ip: "10.106.143.160" # IP address of the Ingress Citrix ADC. kubernetes.io/ingress.class: "citrix" ingress.citrix.com/ssl-passthrough: "True" # Enable SSL passthrough on the Ingress Citrix ADC ingress.citrix.com/insecure-termination: "redirect" ingress.citrix.com/secure-backend: "True" spec: tls: # Enable TLS - secretName: beverages rules: - host: hotdrinks.beverages.com http: paths: - path: / # If the path is specified, it is ignored backend: serviceName: frontend-hotdrinks servicePort: 443