Redirecting all ingress http traffic to https

[kyessenov]

@charlesverdad commented on Mon Oct 16 2017

I am looking for a way to redirect all site visitors to the https version of my site. Something like http 301 or 302 redirect. I was told that envoy has built in support for this and we just need a way to configure that with istio.

Here's my current ingress resource for reference:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: internals-secure-ingress
  annotations:
    kubernetes.io/ingress.class: istio
spec:
  tls:
    - secretName: istio-ingress-certs
  rules:
  - host: mysite.com
    http:
      paths:
      - path: /.*
        backend:
          serviceName: myservice
          servicePort: 80`

Related:
https://groups.google.com/forum/#!topic/istio-users/8SIWVX6ZSK4

[adnankobir]

@kyessenov

I am also looking for a solution to this. I'm stripping ssl at the ELB and forwarding http to envoy - AWS ELBs always add a "x-forwarded-proto". In my previous setup using nginx ingress controller, it was simple enough to redirect to https based on this header like so:

    listen   80;

    #redirect to https
    if ($http_x_forwarded_proto != "https") {
      return  301 https://$host$request_uri;
    }

It appears that headers are stripped before it gets to nginx, so the only option is to try the redirect at istio-ingress. I've tried applying ingress and rules like so:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: simple-ingress
  namespace: sandbox
  annotations:
    kubernetes.io/ingress.class: istio
spec:
  rules:
  - host: test.[redacted].com
    http:
      paths:
      - path: /.*
        backend:
          serviceName: test
          servicePort: 80
---
apiVersion: config.istio.io/v1alpha2
kind: RouteRule
metadata:
  name: redirect-to-https
  namespace: sandbox
spec:
  destination:
    name: test
  match:
    # Limit this rule to istio ingress pods only
    source:
      name: istio-ingress
      labels:
        istio: ingress
    request:
      headers:
        x-forwarded-proto:
          exact: "http"
  redirect:
      uri: "https://test.[redacted].com"

Also tried various variations of this with no luck. How can we implement this? we need the ability to redirect with the captured uri (https://$host$request_uri; for example).

[kyessenov]

cc @rshriram for a use case of route rule instead of ingress rule

[ldemailly]

With an ingress set as follows:
https://github.com/istio/admin-sites/pull/32/files#diff-fc47a9580959f741b273792bda3dde36
I get 404 NR on the non https traffic with Host: header (and what I expect if I use the IP only)
I think it's because the https one listens on 80 instead of just 443:

$ kubectl get ingress
NAME                  HOSTS                              ADDRESS          PORTS     AGE
istio-ingress-http    *                                  35.197.102.163   80        2h
istio-ingress-https   fortio.istio.io,istio.fortio.org   35.197.102.163   80, 443   2h

is there a way for a TLS ingress spec to not bind on 80 ? or if it binds on 80, how do I send traffic somewhere ?

(this is with istio 0.4.0)

[ldemailly]

I found workarounds for the above issues. As well as making redirect work too using
https://github.com/istio/fortio/pull/80/files#diff-61a4e729b116ffe8a0303004555c636cR635-R638
if anyone needs an implementation

[aneslozo]

Any news on this one?

[frankbu]

This can now be easily done in Istio 0.8 by setting httpsRedirect in a Gateway. See example here: https://istio.io/docs/reference/config/istio.networking.v1alpha3/#Gateway

[vikas027]

Thanks @frankbu for pointing me to the correct direction. That link is not working any more, here is a new one.