Why Are HTTP Requests Redirected to HTTPS When HSTS Is Enabled by Default in an Nginx Ingress?

Symptom

HTTP-to-HTTPS redirection is not enabled in the Nginx ingress configuration, as nginx.ingress.kubernetes.io/ssl-redirect is set to false. However, once HTTPS is accessed, requests to HTTP are automatically redirected to HTTPS.

Possible Cause

By default, the HTTP Strict Transport Security (HSTS) configuration is enabled for the NGINX Ingress Controller. When a client accesses a server with HSTS enabled for the first time, the server responds with a header containing the HSTS configuration. The following shows an example:

Strict-Transport-Security: max-age=31536000; includeSubDomains

In this scenario, the browser stores the HSTS header and remembers that the domain can only be accessed via HTTPS for the duration specified by max-age. If the client attempts to access the same domain over HTTP next time, the browser automatically redirects the request to HTTPS.

Solution

To prevent a client's automatic redirection from HTTP to HTTPS, disable HSTS in the configuration of the NGINX Ingress Controller add-on. For details about HSTS, see hsts.

1. Log in to the CCE console and click the cluster name to access the cluster console. In the navigation pane, choose Add-ons, locate NGINX Ingress Controller on the right, and click Manage.
2. Locate the row containing the controller instance corresponding to the ingress and click Edit.
3. In the Nginx Parameters area, select YAML and set hsts to false.

   

4. Click OK and wait until the add-on update is complete.
   

   HSTS is cached on the client by default. After disabling HSTS in the NGINX Ingress Controller add-on, it is necessary to clear the client's HSTS cache.