http -> https default redirect not working by default about kubernetes-ingress HOT 12 OPEN

@ocdi yes, that is a solution, but.. the problem is that the sent out response use: https://xxx:443 and because of this the redirect location and the access log contains the :443 string. What I want to achieve that if a request goes to ingress to http://xxx the ingress send out the location with https and without port number like this: https://xxx

from kubernetes-ingress.

Hi @pasztorl , we'll discuss the need you expressed with the team.

from kubernetes-ingress.

Hi @pasztorl , We provide the ssl-redirect to redirect to ssl and ssl-redirect-port in case you need to redefine the port because of a different port like you explained. We redirect by default to the container port because it would be strange that with a direct access to haproxy from the cluster you would have to redefine the port because we would redirect to a non existing port. While if you have haproxy behind any middleware with a different port, it makes sense to adjust the redirection port in this case.

from kubernetes-ingress.

Hi @ivanmatmati , I understand it, and i think this option is important, but there is a way not to add :443 if the port is default https? I also forward the logs to a logdb and this case I have entries to example.com and example.com:443 from the redirects. Of course I can rewrite the log entry and delete the :443 but it would be better that the location sent out not contains the :443. There is a chance to configure that via haproxy?

from kubernetes-ingress.

This seems plain wrong to me. I shelled into the container and looked at the config, and I can see this line.

/etc/haproxy $ cat haproxy.cfg|grep 8443
  http-request redirect location https://%[hdr(host),field(1,:)]:8443%[capture.req.uri] code 302 if { var(txn.path_match) -m dom 92afcf7456e1a884dd198b1f8bfb6f63 }

I recently upgraded and are getting customer reports of this issue. This is standard web traffic, the redirect is going over the wire, outside the cluster. The controller has a load balancer service that is running on port 443, that internally goes to the 8443 port.

from kubernetes-ingress.

I was able to solve this by applying the port override to the helm chart.

name: controller.config.ssl-redirect-port
value: '443'

from kubernetes-ingress.

On top of that, having "sane" defaults like the https port to 443 instead of 8443 would make it easier for everyone IMHO

from kubernetes-ingress.

Hi @Frankkkkk , For security's sake, the ingress controller pod is rootless. The consequence is that the user attributed to the controller can't open ports below 1024. That's the reason for this port change.

from kubernetes-ingress.

from kubernetes-ingress.

from kubernetes-ingress.