Describe the bug
I can't use HTTP and HTTPS listeners together without "redirect_cleartext_from".
To Reproduce
Add the below annotation in the ambassador service:
apiVersion: ambassador/v0
kind: Module
name: tls
config:
server:
enabled: True
Expected behavior
I want to create HTTP only services and HTTPS only services, but I can't. When I enable the TLS module, the HTTP port in the pods is closed. So, to have both listeners opened, I need to use the "redirect_cleartext_from", so all HTTP request are redirect to HTTPS.
Versions (please complete the following information):
This is something we would like to support. Currently, as a work-around, you can run two deployments of ambassador. One for http and another for https traffic.
Ok, thanks!
+1 We have some legacy apps that still support non-TLS routes. It would be a pain in the ** to setup the two different ambassador deployments. What I really want to do is simply add a path in the mapping file and setup the ports in the service definition - I don't think that is currently possible? Override on a per-mapping would be a bonus if we wanted to "turn off" defaults.
+1 I have a similar requirement where for external traffic I would want to use https along with http redirected to https(redirect_cleartext_from)
and for internal traffic i would want to use only http.
Even when I have 2 ambassador deployments it is not solving it for me as when I put tls module (for using redirect_cleartext_from) It becomes applicable for all ambassador deployments and my internal traffic stops working. Please support tls module per ambassador deployment/service
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
We have the same problem: we prefer Ambassador to be able to work with http and https, while Envoy allows it.
Community contributions for this are appreciated!
Could you please give some priority to this?
Today I ran into a problem with cert manager listeners because of this. Any updates on the issue?
cert-manager is not able to connect to http:// if tls is enabled in ambassador. Apparently disabling temporally tls via the module configuration doesn't seem to work as long as there is some tlscontext.
Working with 2 ambassadors instances (one on 80 which have to the acme mapping, and the other one on https which have the app mapping) doesn't help much.
You would need some port-forward reflexion on your router to be able to use the external ip from inside the cluster.
How do you redirect to https if the path is not the letsencrypt challenge ?
Using cert-manager HTTP01 with ambassador is everything but straightforward with ambassador.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Bad bot. Don't close.
@eburghar you are right, it is pain, however this information may help:
Reading from https://letsencrypt.org/docs/challenge-types/
Our implementation of the HTTP-01 challenge follows redirects, up to 10 redirects deep. It only accepts redirects to “http:” or “https:”, and only to ports 80 or 443. It does not accept redirects to IP addresses. When redirected to an HTTPS URL, it does not validate certificates (since this challenge is intended to bootstrap valid certificates, it may encounter self-signed or expired certificates along the way).
Meaning, the HTTP-01 challenge should work with HTTPS only ambassador. I have not tried it thou.
This is something we would like to support. Currently, as a work-around, you can run two deployments of ambassador. One for http and another for https traffic.
Hi @nbkrause , do you have an update on this?
Thank you
Hello,
In issue https://github.com/datawire/ambassador/issues/1335, the proposed solution
is to "create two instances of Ambassador (one for HTTP, one for HTTPS).
But (I think) this is not enough, because redirection is applied in all cases! :-(
Suposse this requirements:
Serve my application A on https://aaa.mycompany.com:443.
http://aaa.mycompany.com:80 must not be redirected to https.
Serve my application B on https://bbb.mycompany.com:443.
http://bbb.mycompany.com:80 must be redirected to https.
Serve my application C on http://ccc.mycompany.com:80
I haven't certificates for this domain.
Envoy allows this configuration.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Bad bot. Don't close.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.
Most helpful comment
This is something we would like to support. Currently, as a work-around, you can run two deployments of ambassador. One for http and another for https traffic.