Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

http -> https default redirect not working by default #642

Closed
pasztorl opened this issue Apr 12, 2024 · 16 comments
Closed

http -> https default redirect not working by default #642

pasztorl opened this issue Apr 12, 2024 · 16 comments
Labels
stale

Comments

@pasztorl
Copy link

I'm using the latest kubernetes-ingress.
If a http request arrives at :80 to a valid ingress host it redirects to the ingress host:8443.
The 8443 comes from the containerport where the kubernetes-ingress listening. It sould redirect to https://ingresshost without any :port.

At the docs I see that there is a ssl-redirect-port option. It works but i got https://ingresshost:443 if I set this option to 443.
There is a config option for the redirect without port (since the default is 443 at the browsers)?
@ivanmatmati
Copy link
Collaborator

Hi @pasztorl , We provide the ssl-redirect to redirect to ssl and ssl-redirect-port in case you need to redefine the port because of a different port like you explained. We redirect by default to the container port because it would be strange that with a direct access to haproxy from the cluster you would have to redefine the port because we would redirect to a non existing port. While if you have haproxy behind any middleware with a different port, it makes sense to adjust the redirection port in this case.

@pasztorl
Copy link
Author

Hi @ivanmatmati , I understand it, and i think this option is important, but there is a way not to add :443 if the port is default https? I also forward the logs to a logdb and this case I have entries to example.com and example.com:443 from the redirects. Of course I can rewrite the log entry and delete the :443 but it would be better that the location sent out not contains the :443. There is a chance to configure that via haproxy?

@ocdi
Copy link
Contributor

ocdi commented Apr 24, 2024

This seems plain wrong to me. I shelled into the container and looked at the config, and I can see this line.

/etc/haproxy $ cat haproxy.cfg|grep 8443
  http-request redirect location https://%[hdr(host),field(1,:)]:8443%[capture.req.uri] code 302 if { var(txn.path_match) -m dom 92afcf7456e1a884dd198b1f8bfb6f63 }

I recently upgraded and are getting customer reports of this issue. This is standard web traffic, the redirect is going over the wire, outside the cluster. The controller has a load balancer service that is running on port 443, that internally goes to the 8443 port.

@ocdi
Copy link
Contributor

ocdi commented Apr 24, 2024

I was able to solve this by applying the port override to the helm chart.

name: controller.config.ssl-redirect-port
value: '443'

@pasztorl
Copy link
Author

pasztorl commented Apr 24, 2024
edited
Loading

@ocdi yes, that is a solution, but.. the problem is that the sent out response use: https://xxx:443 and because of this the redirect location and the access log contains the :443 string. What I want to achieve that if a request goes to ingress to http://xxx the ingress send out the location with https and without port number like this: https://xxx

@ivanmatmati
Copy link
Collaborator

Hi @pasztorl , we'll discuss the need you expressed with the team.

@Frankkkkk
Copy link
Contributor

On top of that, having "sane" defaults like the https port to 443 instead of 8443 would make it easier for everyone IMHO

@ivanmatmati
Copy link
Collaborator

Hi @Frankkkkk , For security's sake, the ingress controller pod is rootless. The consequence is that the user attributed to the controller can't open ports below 1024. That's the reason for this port change.

@Frankkkkk
Copy link
Contributor

Frankkkkk commented May 22, 2024 via email

@Frankkkkk
Copy link
Contributor

Frankkkkk commented May 22, 2024 via email

@stale Stale
Copy link

stale bot commented Jun 21, 2024

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale label Jun 21, 2024
@pasztorl
Copy link
Author

any news on this?

@stale stale bot closed this as completed Jul 9, 2024
@aep aep mentioned this issue Jul 22, 2024
Merged
@mecampbellsoup
Copy link

mecampbellsoup commented Aug 13, 2024
edited
Loading

I agree, but the SVC forwards 443 to 8443, so you can redirect to Https/443 while keeping a rootless pod

On 22 May 2024 09:25:37 CEST, ivanmatmati @.> wrote: Hi @Frankkkkk , For security's sake, the ingress controller pod is rootless. The consequence is that the user attributed to the controller can't open ports below 1024. That's the reason for this port change. -- Reply to this email directly or view it on GitHub: #642 (comment) You are receiving this because you were mentioned. Message ID: @.>

i.e. this approach, right?

  values:
    controller:
      config:
        ssl-redirect-port: "443"

@oekarlsson
Copy link

Changing the value for ssl-redirect-port to 443 works, but I would have preferred a possible value of "none" to just redirect to https without any port.

@oekarlsson
Copy link

We found another problem with this today. Since clients are redirected to https://xxx:443 they are redirected again to https://xxx by most web servers and applications (like WordPress) behind the ingress-controller. The problem was found when nginx cached a redirect from https://xxx:443 to https://xxx but without using the port in the cache key. This resulted in a redirect lopp.

It should not be a big change to make it possible to set the ssl-redirect-port to something that makes the redirects go to https without any port. That option should be the default of course, but I can understand if it is too late change the default value and create a "breaking" change. I do believe it is a much more sane default than todays 8443.

@oekarlsson
Copy link

I found a workaround to make the ingress controller redirect to https without adding a port. I simply set ssl-redirect to false and added a frontend config snippet with the http to https redirect I found on haproxy.com. Now it works as I want to. The redirect only changes the scheme. From my helm values file:

  controller:
    config:
      ssl-redirect: "false"
      frontend-config-snippet: |
        http-request redirect scheme https unless { ssl_fc }

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
stale
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@mecampbellsoup @ocdi @oekarlsson @Frankkkkk @pasztorl @ivanmatmati