Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL redirect not working for LB type NodePort #967

Closed
diptadas opened this issue Apr 4, 2018 · 3 comments

Comments

Projects
None yet
2 participants
@diptadas
Copy link
Contributor

commented Apr 4, 2018

apiVersion: voyager.appscode.com/v1beta1
kind: Ingress
metadata:
  name: auth-ingress
  namespace: default
  annotations:
    ingress.appscode.com/type: NodePort
    ingress.appscode.com/use-node-port: "true"
spec:
  tls:
  - secretName: tls-secret
    hosts:
    - voyager.appscode.ninja
  rules:
  - host: voyager.appscode.ninja
    http:
      nodePort: 32666
      paths:
      - path: /app
        backend:
          serviceName: test-server
          servicePort: 80

haproxy pod logs:

I0404 07:13:21.238068      13 reload.go:49] Checking haproxy config...
F0404 07:13:21.246582      13 haproxy.go:58] [haproxy-check failed, reason: [ALERT] 093/071321 (25) : parsing [/etc/haproxy/haproxy.cfg:36] : error detected in frontend 'http-0_0_0_0-80' while parsing redirect rule : error in condition: no such ACL : 'acl_voyager.appscode.ninja'.
[ALERT] 093/071321 (25) : parsing [/etc/haproxy/haproxy.cfg:38] : error detected in frontend 'http-0_0_0_0-80' while parsing redirect rule : error in condition: no such ACL : 'acl_voyager.appscode.ninja'.
[ALERT] 093/071321 (25) : Error(s) found in configuration file : /etc/haproxy/haproxy.cfg
[ALERT] 093/071321 (25) : Fatal errors found in configuration.
 exit status 1]

@diptadas diptadas added the bug label Apr 4, 2018

@diptadas diptadas self-assigned this Apr 4, 2018

@tamalsaha

This comment has been minimized.

Copy link
Member

commented Apr 23, 2018

Wildcard scenarios:

spec:
  rules:
  - host:
    http:
      paths:
      - backend:
          serviceName: web
          servicePort: 80
--------------------------------------------
spec:
  tls:
  - hosts:
    - '*.g.kiteci.com'
    - sysapi.kiteci.com
    secretName: tls-kitecicom
  rules:
  - host: '*.g.kiteci.com'
    http:
      paths:
      - backend:
          serviceName: mysys-kong-proxy
          servicePort: 80
--------------------------------------------
spec:
  rules:
  - host: '*'
    http:
      paths:
      - backend:
          serviceName: web
          servicePort: 80
  tls:
  - hosts:
    - '*'
    secretName: tls-kitecicom
-----------------------------------------
spec:
  rules:
  - http:
      paths:
      - backend:
          serviceName: web2
          servicePort: 80
  - host: '*'
    http:
      paths:
      - backend:
          serviceName: web
          servicePort: 80
  tls:
  - hosts:
    - '*'
    secretName: tls-kitecicom
--------------------------------
spec:
  rules:
  - port: 80
    http:
      paths:
      - backend:
          serviceName: web2
          servicePort: 80
  - host: '*'
    port: 443
    http:
      paths:
      - path: /secure
        backend:
          serviceName: web
          servicePort: 80
  tls:
  - hosts:
    - '*'
    secretName: tls-kitecicom
@tamalsaha

This comment has been minimized.

Copy link
Member

commented Apr 23, 2018

  • If host == * in ingress.yaml. then host becomes (empty) after parsing.
    - [ ] If SSLRedirect = false, RedirectToPort must be 0 (unset)
@tamalsaha

This comment has been minimized.

Copy link
Member

commented Apr 23, 2018

spec:
  rules:
  - port: 80
    http:
      paths:
      - backend:
          serviceName: web2
          servicePort: 80
  - host: '*'
    port: 443
    http:
      paths:
      - path: /secure
        backend:
          serviceName: web
          servicePort: 80
  tls:
  - hosts:
    - '*'
    secretName: tls-kitecicom
-------------------------------------------------------------
	type hostBinder struct {
		Address string
		Port    int
	}
	type httpInfo struct {
		OffloadSSL bool
		Hosts      map[string][]*hpi.HTTPPath
	}
	httpServices := make(map[hostBinder]*httpInfo)

	httpServices[*:80] = info {
		Host[""]: []Path {
			"/": {web2},
			"/secure": {
				redirect: true,
			}
		}
	}
	httpServices[*:443] = info {
		Host[""]: []Path {
			"/secure": {web},
		}
	}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.