IOS redirect returns 421 with wildcard certificate

[Mafmax]

trafficstars

Describe the bug There are 2 services: foo.example.com and bar.example.com under wildcard certificate *.example.com and Gateway with TLS termination:

apiVersion: gateway.networking.k8s.io/v1 kind: Gateway metadata: name: gateway spec: gatewayClassName: nginx listeners:

• name: http port: 80 protocol: HTTP hostname: *.example.com allowedRoutes: namespaces: from: All
• name: https port: 443 protocol: HTTPS hostname: *.example.com allowedRoutes: namespaces: from: All tls: mode: Terminate certificateRefs:
  • kind: Secret name: {{ .Values.tlsTerminationSecret }}

For each service created two HTTPRoute manifests. The first for redirect to https and the second for http connection to service:

apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: https spec: parentRefs:

• name: gateway sectionName: https hostnames:
• foo.example.com rules:
• backendRefs:
  • name: foo port: 80

---

apiVersion: gateway.networking.k8s.io/v1 kind: HTTPRoute metadata: name: http spec: parentRefs:

• name: gateway sectionName: http hostnames:
• foo.example.com rules:
• filters:
  • type: RequestRedirect requestRedirect: scheme: https port: 443

NginxGatewayFabric automatically adds the configuration block to server:

if ($ssl_server_name != $host) {
    return 421;
}

While redirect from foo.example.com to bar.example.com, IOS browser tries to reuse TLS connection with $host = bar.example.com but $server_name = foo.example.com and returns 421 Mismatch Redirect.

To Reproduce Steps to reproduce the behavior:

1. Create gateway resource as shown above
2. Create HTTPRoutes as shown above

Expected behavior Nginx Gateway Fabric allows to disable block if ($ssl_server_name != $host) { return 421; }

Your environment

• Version of the NGINX Gateway Fabric - 1.5.1
• Version of Kubernetes - 1.30.10
• Kubernetes platform Bare Metal