Envoy: HTTP redirect for HTTPS cannot hit the HTTPS port. It hits the HTTP port instead.

Created on 8 Dec 2018  路  4Comments  路  Source: envoyproxy/envoy

HTTP redirect failed: HTTP redirect for HTTPS listener always redirect to the HTTP endpoint instead of the HTTPS endpoint.

Description:

I have an Envoy front proxy listening on the HTTPS port 8443 and redirect all HTTP request on port 8000 to the HTTPS port 8443. But it seems the redirect endpoint is never parsed as an HTTPS end point.

Envoy config Yaml file:

static_resources:
  listeners:
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 8443
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          stat_prefix: ingress_http
          codec_type: AUTO
          route_config:
            name: local_route
            virtual_hosts:
            - name: httpsbackend
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/mock-domain" # a test for mock-domain
                route:
                  cluster: mock-domain
              - match:
                  prefix: "/xmlproxy/ws" # for API 3.4.x & 3.5.x
                route:
                  cluster: content-router
              - match:
                  path: "/xmlproxy/HttpMessageProxy" # for API 1.x
                route:
                  cluster: content-router
              - match:
                  path: "/xmlproxy/20" #for API 2.x"
                route:
                  cluster: content-router
          http_filters:
          - name: envoy.router
            config: {}
      tls_context:
        common_tls_context:
          tls_certificates:
            - certificate_chain:
                filename: "/home/etransfer/service-proxy/envoy-front/ssl/envoy-front-ssl.crt"
              private_key:
                filename: "/home/etransfer/service-proxy/envoy-front/ssl/envoy-front-ssl.key"
  - address:
      socket_address:
        address: 0.0.0.0
        port_value: 8000
    filter_chains:
    - filters:
      - name: envoy.http_connection_manager
        config:
          codec_type: auto
          stat_prefix: ingress_http
          route_config:
            name: local_route
            virtual_hosts:
            - name: httpsbackend
              domains:
              - "*"
              routes:
              - match:
                  prefix: "/mock-domain" # a test for mock-domain
                route:
                  cluster: mock-domain
              - match:
                  # redirect everything else HTTP to HTTPs
#                  prefix: "/xmlproxy"
                  prefix: "/"
                redirect:
#                  path_redirect: "/"
                  https_redirect: true
          http_filters:
          - name: envoy.router
            config: {}
  clusters:
  - name: mock-domain
    connect_timeout: 0.25s
    type: strict_dns
    lb_policy: round_robin
    hosts:
    - socket_address:
        address: mock-domain
        port_value: 10080
  - name: content-router
    connect_timeout: 0.25s
    type: strict_dns
    lb_policy: round_robin
    hosts:
    - socket_address:
        address: content-router
        port_value: 8181
admin:
  access_log_path: "/home/etransfer/service-proxy/envoy-front/logs/envoy_access.log"
  address:
    socket_address:
      address: 0.0.0.0
      port_value: 8001

logs:

[2018-12-07 14:32:16.954][000011][debug][main] [source/server/connection_handler_impl.cc:236] [C0] new connection
[2018-12-07 14:32:16.954][000011][debug][http] [source/common/http/conn_manager_impl.cc:200] [C0] new stream
[2018-12-07 14:32:16.955][000011][debug][http] [source/common/http/conn_manager_impl.cc:529] [C0][S4235800910792355188] request headers complete (end_stream=false):
':authority', '192.168.64.135:8000'
':path', '/xmlproxy/ws/3.4.1/manageContact'
':method', 'POST'
'accept-encoding', 'gzip,deflate'
'content-type', 'text/xml;charset=UTF-8'
'soapaction', '"http://emtservice.acxsys.com/ws/3.4.1/AddContact"'
'content-length', '3553'
'connection', 'Keep-Alive'
'user-agent', 'Apache-HttpClient/4.1.1 (java 1.5)'
[2018-12-07 14:32:16.956][000011][debug][http] [source/common/http/conn_manager_impl.cc:1180] [C0][S4235800910792355188] encoding headers via codec (end_stream=true):
':status', '301'
'location', 'https://192.168.64.135:8000/xmlproxy/ws/3.4.1/manageContact'
'date', 'Fri, 07 Dec 2018 14:32:16 GMT'
'server', 'envoy'
'connection', 'close'
[2018-12-07 14:32:16.956][000011][debug][connection] [source/common/network/connection_impl.cc:101] [C0] closing data_to_write=195 type=2
[2018-12-07 14:32:16.956][000011][debug][connection] [source/common/network/connection_impl.cc:153] [C0] setting delayed close timer with timeout 1000 ms
[2018-12-07 14:32:16.956][000011][debug][connection] [source/common/network/connection_impl.cc:101] [C0] closing data_to_write=195 type=2
[2018-12-07 14:32:16.961][000011][debug][connection] [source/common/network/connection_impl.cc:460] [C0] remote early close
[2018-12-07 14:32:16.961][000011][debug][connection] [source/common/network/connection_impl.cc:183] [C0] closing socket: 0
[2018-12-07 14:32:16.961][000011][debug][main] [source/server/connection_handler_impl.cc:68] [C0] adding to cleanup list
[2018-12-07 14:32:16.961][000011][debug][main] [source/server/connection_handler_impl.cc:236] [C1] new connection
[2018-12-07 14:32:16.964][000011][debug][http] [source/common/http/conn_manager_impl.cc:234] [C1] dispatch error: http/1.1 protocol error: HPE_INVALID_METHOD
[2018-12-07 14:32:16.964][000011][debug][connection] [source/common/network/connection_impl.cc:101] [C1] closing data_to_write=66 type=2
[2018-12-07 14:32:16.964][000011][debug][connection] [source/common/network/connection_impl.cc:153] [C1] setting delayed close timer with timeout 1000 ms
[2018-12-07 14:32:16.972][000011][debug][connection] [source/common/network/connection_impl.cc:460] [C1] remote early close
[2018-12-07 14:32:16.972][000011][debug][connection] [source/common/network/connection_impl.cc:183] [C1] closing socket: 0
[2018-12-07 14:32:16.972][000011][debug][main] [source/server/connection_handler_impl.cc:68] [C1] adding to cleanup list
[2018-12-07 14:32:18.362][000005][debug][main] [source/server/server.cc:144] flushing stats

When watching the log, this location https://192.168.64.135:8000/xmlproxy/ws/3.4.1/manageContact seems to be the re-directed target. But actually, I expect https://192.168.64.135:8443/xmlproxy/ws/3.4.1/manageContact

Is there any place in the yaml file wrong?

question
Source
picture bnlcnd

Most helpful comment

Thanks Lizan.
It does work. I change the redirect section to 

              - match:
                  prefix: "/"
                redirect:
                  port_redirect: 8443
                  https_redirect: true

Now it is redirecting the request from http-8000 to the port https-8443.

picture bnlcnd on 14 Dec 2018
👍2

All 4 comments

Is there anyone experienced the problem before?

bnlcnd picture bnlcnd on 11 Dec 2018

the https_redirect only changes the URI schema so if you have non-standard port in the URI you'll be redirected to the same port (i.e. http://example.com:8000/ to https://example.com:8000/). Try use port_redirect? See https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route.proto#route-redirectaction

lizan picture lizan on 11 Dec 2018

Thanks Lizan.
It does work. I change the redirect section to 

              - match:
                  prefix: "/"
                redirect:
                  port_redirect: 8443
                  https_redirect: true

Now it is redirecting the request from http-8000 to the port https-8443.

bnlcnd picture bnlcnd on 14 Dec 2018
👍2

Closing as answered

lizan picture lizan on 14 Dec 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

alkov-ibm picture alkov-ibm  路  3Comments
roelfdutoit picture roelfdutoit  路  3Comments
dstrelau picture dstrelau  路  3Comments
karthequian picture karthequian  路  3Comments
vpiduri picture vpiduri  路  3Comments