Configuring NGINX Ingress for HTTPS and WebSockets in Kubernetes

Securing Internal Pods with HTTPS via Ingress

When the internal pods communicate over HTTPS, the Ingress must be configured accordingly to ensure proper handling of encrypted traffic. Below is an example configuration that sets up an NGINX Ingress to forward traffic to HTTPS backend services.


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: my-namespace
  name: secure-web
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "200M"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
  ingressClassName: nginx
  rules:
    - host: www.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: secure-web
                port:
                  number: 443

Enabling HTTPS on Ingress

To expose your service securely using HTTPS, you need to create a TLS secret and reference it in your Ingress resource.

Create a TLS Secret

Use the following command to create a Kubernetes secret from your certificate and private key:


kubectl create secret tls example-tls-secret --cert=example.crt --key=example.key

Ingress with TLS Configuration

The following Ingress configuration enables TLS termination using the previously created secret:


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: my-namespace
  name: secure-web
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: "200M"
    nginx.ingress.kubernetes.io/backend-protocol: HTTPS
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - www.example.com
      secretName: example-tls-secret
  rules:
    - host: www.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: secure-web
                port:
                  number: 443

Configuring WebSockets

WebSockets require specific NGINX tuning to maintain long-lived connections. Adjust the proxy timeouts and enable sticky sessions if needed.


apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  namespace: my-namespace
  name: websocket-ingress
  annotations:
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
    nginx.ingress.kubernetes.io/upstream-hash-by: "$http_x_forwarded_for"
spec:
  ingressClassName: nginx
  rules:
    - host: www.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: secure-web
                port:
                  number: 443

Tags: kubernetes ingress nginx HTTPS WebSocket

Posted on Sat, 27 Jun 2026 17:59:50 +0000 by knelson

Hot Tags

©2026 Freaks City