Enable TLSv1 TLSv1.1 for specific Ingress with Nginx Ingress

I try to enable TLSv1 and TLSv1.1 for one specific ingress on a AKS cluster.

By default, only TLSv1.2 is enabled.

I don't want to apply this configuration on my all cluster, just on a specific webserver service.

Regarding the documentation, I need to add this annotation if I don't want to change nginx config by ConfigMap :

nginx.ingress.kubernetes.io/proxy-ssl-protocols: TLSv1 TLSv1.1 TLSv1.2

but this has no effect.

Is it really possible to do this by annotation ?

Did I do something wrong ?

Thank you !

The ConfigMap and Annotation configuration have different purposes.

As per nginx-configuration/configmap/#ssl-protocols:

Sets the SSL protocols to use. The default is: TLSv1.2 TLSv1.3

ngx_http_ssl_module.html#ssl_protocols

Context: http, server

i.e., enable the specified protocols to your Nginx Controller.

client --ssl-protocols-> controller --> backend

On nginx-configuration/annotations/#backend-certificate-authentication, we can read:

Enables the specified protocols for requests to a proxied HTTPS server.

ngx_http_proxy_module.html#proxy_ssl_protocols
http, server, location

i.e., enables the specified protocols for requests to a proxied backend using HTTPS.

client --> controller --proxy-ssl-protocols-> backend

As you can see, to set the protocols served by your Nginx controller, you only have http, server contexts available (i.e., you can't set this to specific ingress objects).

StackExchange DevOps Q#13703, answer score: 2