-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[2.2.0-rc2] kubernetes/ingress: bare host failed match on HTTP #6501
Comments
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
Closed by #6504. |
@ldez I just got around to trying this out and the experience is still less than ideal :( now none of my ingresses have tls on them by default. |
@ldez ah, that helps. I'll do some more testing for a bit. As an FYI the cli params did not work per the example in the doc:
|
You have to click on the CLI tabs: https://docs.traefik.io/v2.2/migration/v2/#kubernetes-ingress
If you want to talk more, could you go to the forum, thank you. |
@ldez ah, thanks yet again! Overall this is looking much better (on rc4 atm)! I'll dig through several more scenarios and get even deeper into testing now that the basics are out of the way. |
Bug
What did you do?
Configure HTTP and HTTPS endpoints with middleware chain to redirect http to https.
What did you expect to see?
Redirect HTTP to HTTPS in all situations, including no or bare "/" path.
What did you see instead?
Without any path "" or maybe "/", the route "GET http://sub.domain" would fail to redirect to "https://sub.domain". It would just stop with a 404.
Output of
traefik version
: (What version of Traefik are you using?)What is your environment & configuration (arguments, toml, provider, platform, ...)?
Static configuration through environment for endpoints and Kubernets Ingress and Kubernetes CRD setup. Kubernetes configuration for dynamic configuration for routes.
Kubernetes Ingress and KubernetesCRD, configured outside of the cluster.
If applicable, please paste the log output in DEBUG level (
--log.level=DEBUG
switch)Nothing applicable in DEBUG level log.
I'm using the newly (re-)introduced Kubernetes Ingress (not IngressRoute) for my main configuration for various reasons. I'm also using a Middleware chain that is redirecting http to https and non-www to www sub-domains (plus header addition, etc). Appears to work well.
When testing certain bare HTTP sub-domains, I found traefik would return a 404 before it even encountered the middleware. Testing was complicated due to HSTS header. But for example I found:
GET http://qa.mydomain.com
-> 404 (middleware not encountered) whilehttp://qa.mydomain/anything
-> 200 using middleware. I was able to use the jaeger integration to determine if the middle was was encountered at all.I manually resolved this by creating Kubernetes IngressRoutes that bound directly on the HTTP endpoint only, used the same middleware, and only matched on the host, no Path or PathPrefix. This corrected the behavior to the desired behavior.
I suspect this has to do with how a Kubernetes Ingress object is internally represented + how HTTP (non-TLS) traffic paths are handled. Traefik creates to rules for Kubernetes Ingress objects: Host and PathPrefix. I suspect that internally the Request.URL.Path is either "/" or "" (empty) for this request either incoming or after processing. Then the created PathPrefix(
/
) rule doesn't match. This only appears to happen on HTTP, not HTTPS.The text was updated successfully, but these errors were encountered: