Aws-load-balancer-controller: Only HTTPS active despite we've set them both in the alb.../port annotation
My understanding is that if my Ingress has the following configuration, only HTTPS will be served. Is that correct?
alb.ingress.kubernetes.io/port: '[{"HTTP": 80,"HTTPS": 443}]'
alb.ingress.kubernetes.io/certificate-arn: arn:..:
alb.ingress.kubernetes.io/scheme: internet-facing
At least that's what I get in my configuration based in the 0.8 tag. If that's the case, how would you redirect HTTP connections to HTTPS?
gregoryguillou
All 11 comments
I am also interested in how to redirect http to https
jwickens
on 6 Sep 2017
As a workaroud, I've resolved this on my cluster by manually editing the ALB in the amazon cluster to listen on port 80 for http. In order to redirect to https I've configured the pod behind the nodeport to use the X-FORWARDED_PROTO header set by AWS to do this redirect. In nginx the config looks like this
server {
if ($http_x_forwarded_proto != "https") {
rewrite ^(.*)$ https://$server_name$1 permanent;
}
...rest of config
}
Hi @gregoryguillou @jwickens
I tried to do some digging around redirect with ALB and couldn't come up with anything.
The closest I found was https://forums.aws.amazon.com/thread.jspa?threadID=247546
Which the only suggestion is to do what @jwickens suggested....handle the redirect at another level (e.g. nginx pod receiving port 80 ingress).
If you find anything otherwise please re-open this ticket and let's see if we can get it implemented.
joshrosso
on 14 Sep 2017
The point was actually NOT the redirect (the redirect was my need, but I would have coded it in the API). My point was that when you create an ALB with alb-ingress-controller and specify 2 protocols, only ONE is served. I would suggest a small and backward compatible enhancement, like an annotation so say what protocol would want to serve. By default, that could be:
- "default" protocol, i.e. HTTP is there is no reference to ACM and HTTPS if there is
- "both" or "HTTP+HTTPS" could mean that it would create both the HTTP AND the HTTPS listeners
- You could also reference a certificate for a later use but still use HTTP only
gregoryguillou
on 16 Sep 2017
@gregoryguillou If I'm understanding correctly, I'd actually expect both HTTP and HTTPS to be served based on your annotation described in your first post.
With:
alb.ingress.kubernetes.io/port: '[{"HTTP": 80,"HTTPS": 443}]'
alb.ingress.kubernetes.io/certificate-arn: arn:..:
alb.ingress.kubernetes.io/scheme: internet-facing
I'd expect you to have a listener on 80 using no cert/HTTPS and a listener on 443 that uses your specified cert/HTTPS.
Any chance you could try with image version 871e344f and see if the experience is the same?
0.8 is quite old, and until we get a versioning scheme down, we'll be working off commits.
I've also go this on my backlog to test today.
joshrosso
on 16 Sep 2017
I will.
gregoryguillou
on 17 Sep 2017
Thanks @gregoryguillou. Will keep an eye on this ticket.
joshrosso
on 17 Sep 2017
Unfortunately I must report, that it still doesn't work, even with the suggested version.
hrzbrg
on 29 Sep 2017
Thanks for the update. Seems there is some confusion during reconcile around whether a listener should remain HTTP. Will look to knock this out soon.
joshrosso
on 4 Oct 2017
Anyone else stumbling upon this issue, it does work but the annotation for specifying the ports is now alb.ingress.kubernetes.io/listen-ports: '[{"HTTP": 80,"HTTPS": 443}]'.
The documentation still refers to the old annotation of alb.ingress.kubernetes.io/port: '[{"HTTP": 80,"HTTPS": 443}]' which is now completely ignored as far as I can tell.
ghost
on 3 Apr 2018
Hey guys, if you're still interested in doing the http to https redirect you should follow https://github.com/kubernetes-sigs/aws-alb-ingress-controller/issues/487
gabzim
on 3 Aug 2018
Related issues
brylex418
路
4Comments
rootd00d
路
4Comments
gigi-at-zymergen
路
5Comments
ghostsquad
路
4Comments
NickEAVE
路
3Comments