SSL/TLS Examples
This page provides examples of SSL/TLS configuration.
Sources: examples/ssl-tls/.
Basic HTTPS configuration
version: v1
port: 8080
https:
port: 8443
ssl:
- domain: example.com
cert:
certificate: /etc/ssl/example.com/fullchain.pem
certificate_key: /etc/ssl/example.com/privkey.pemMultiple domains
version: v1
port: 8080
https:
port: 8443
ssl:
- domain: example.com
cert:
certificate: /etc/ssl/example.com/fullchain.pem
certificate_key: /etc/ssl/example.com/privkey.pem
- domain: api.example.com
cert:
certificate: /etc/ssl/api.example.com/fullchain.pem
certificate_key: /etc/ssl/api.example.com/privkey.pem
- domain: admin.example.com
cert:
certificate: /etc/ssl/admin.example.com/fullchain.pem
certificate_key: /etc/ssl/admin.example.com/privkey.pemLet's Encrypt certificates
version: v1
port: 8080
https:
port: 8443
ssl:
- domain: example.com
cert:
certificate: /etc/letsencrypt/live/example.com/fullchain.pem
certificate_key: /etc/letsencrypt/live/example.com/privkey.pemHTTPS with backend services
version: v1
port: 8080
https:
port: 8443
ssl:
- domain: example.com
cert:
certificate: /etc/ssl/example.com/fullchain.pem
certificate_key: /etc/ssl/example.com/privkey.pem
rules:
- host: example.com
backend:
service:
name: backend-service
port: 8080
protocol: httpGlobal HTTP to HTTPS redirect
When https.port is set, Ingress can force cleartext HTTP clients to HTTPS before route matching. Configure https.redirect_from_http (not rules[].backend.redirect):
version: v1
port: 8080
https:
port: 8443
redirect_from_http:
enabled: true
permanent: true
ssl:
- domain: example.com
cert:
certificate: /etc/ssl/example.com/fullchain.pem
certificate_key: /etc/ssl/example.com/privkey.pem
rules:
- host: example.com
backend:
service:
name: backend-service
port: 8080
protocol: httpOptional fields (comment in your own file as needed):
with_origin_method_and_body:false→ 301/302 family;true→ 307/308exclude_paths: exact paths that skip the forced redirect
Route-level redirect (rules[].backend.redirect)
Use backend.redirect when a specific host or path should issue a redirect instead of proxying. Usually omit backend.type—Ingress infers redirect when only redirect is configured. Runnable comparison: examples/ssl-tls/route-redirect.yaml uses two hosts (type: redirect vs omission). Set backend.type: redirect explicitly only when validation reports ambiguity. See routing for how service, handler, and redirect blocks relate to each backend.
version: v1
port: 8080
rules:
- host: old-explicit.example.com
backend:
type: redirect
redirect:
url: https://new.example.com
duration: permanent
- host: old-inferred.example.com
backend:
redirect:
url: https://new.example.com
duration: permanentFor regex capture templating in redirect.url, see Redirects.
Testing
HTTPS request
curl https://example.com:8443/apiVerify certificate
openssl s_client -connect example.com:8443 -servername example.comCertificate reload
After updating certificates, reload the configuration:
kill -HUP $(cat /tmp/gozoox.ingress.pid)