Envoy: Can't redirect to https on the same port
The action https_redirect works for redirecting http port 80 to https port 443, or http port X1 to https port X2, and no way to use same listener on same port for redirecting.
On defined listener to accept and route https request it is tried to add redirection from http schema to https on the same port. But the listener doesn't accept the requests on http when there is tls context defined. In the same time there is no way to define 2 listeners on same port, one for http with https_redirect action, and one for the secure request.
How it is possible to use https_redirect on same port in the same listener?
The goal is, if there is a url https://server:12345 which accepts secure requests, then if a request to http://server:12345 is sent, the proxy to redirect it to https://server:12345.
Thanks
vovata
All 7 comments
I don't think it is possible to serve both HTTP and HTTPS on the same port.
If you try HTTP URL scheme to a port which is accepting SSL connections it
will not work. And if you use HTTPS URL scheme with regular HTTP port, it
will also fail to negotiate TLS and not make any HTTP requests.
In practice, I'm not sure exactly what you're trying to accomplish, or
rather, why. You can use any ports you want, but http:// URLs need to use a
plain text listener, and https:// URLs need to use an SSL one.
On Mon, Jan 7, 2019 at 10:48 AM Vladimir Penev notifications@github.com
wrote:
The action https_redirect works for redirecting http port 80 to https port
443, or http port X1 to https port X2, and no way to use same listener on
same port for redirecting.On defined listener to accept and route https request it is tried to add
redirection from http schema to https on the same port. But the listener
doesn't accept the requests on http when there is tls context defined. In
the same time there is no way to define 2 listeners on same port, one for
http with https_redirect action, and one for the secure request.How it is possible to use https_redirect on same port in the same listener?
The goal is, if there is a url https://server:12345 which accepts secure
requests, then if a request to http://server:12345 is sent, the proxy to
redirect it to https://server:12345.Thanks
—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
https://github.com/envoyproxy/envoy/issues/5514, or mute the thread
https://github.com/notifications/unsubscribe-auth/ABIPmbfqhA-NfaAto4jPypFAsNs9ZGo8ks5vA2xlgaJpZM4ZzvfV
.
dnoe
on 7 Jan 2019
I have secure listener, and it works on https url on specific port.
But I want if someone requested same url with same port, just to redirect the request to https.
Nothing special in my wish, just do not reject the request if the url and the port are correct, but sent as http.
vovata
on 7 Jan 2019
In that scenario you can't redirect, because the http:// URL to the port
that is expecting HTTPS will not be able to do the basic protocol
communication that is needed to do a redirect. This isn't a limitation of
Envoy, but of HTTP in general.
On Mon, Jan 7, 2019 at 12:19 PM Vladimir Penev notifications@github.com
wrote:
I have secure listener, and it works on https url on specific port.
But I want if someone requested same url with same port, just to redirect
the request to https.
Nothing special in my wish, just do not reject the request if the url and
the port are correct, but sent as http.—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/envoyproxy/envoy/issues/5514#issuecomment-452010914,
or mute the thread
https://github.com/notifications/unsubscribe-auth/ABIPmQIYZ1V5-bUENj5gqE55WfaOp1Eaks5vA4G7gaJpZM4ZzvfV
.
dnoe
on 7 Jan 2019
It is actually possible with Envoy with TLS inspector, you can setup two filter chains on same listener (same port), one with TLS and one with plaintext. And setup http connection manager in the plaintext one to redirect to HTTPS.
lizan
on 7 Jan 2019
Thanks a lot Lizan, your solution works well.
vovata
on 8 Jan 2019
@vovata can you please share the config on how you achieved this? Thanks
prateek33
on 11 Feb 2020
@prateek33 check this sample:
``` - name: listener_x
address:
socket_address: { address: "::", ipv4_compat: true, port_value: 443 }
listener_filters:
- name: envoy.listener.tls_inspector
config: {}
filter_chains:
- filter_chain_match:
transport_protocol: raw_buffer
filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
codec_type: auto
route_config:
name: local_redirect
virtual_hosts:
- name: local_http
domains: [""]
routes:
- match: { prefix: "/" }
redirect: { https_redirect: true }
http_filters:
- name: envoy.router
config: {}
- filter_chain_match:
transport_protocol: tls
filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
codec_type: auto
route_config:
name: local_route
virtual_hosts:
- name: local_path
domains: [""]
routes:
- match: { path: "/" }
redirect: { path_redirect: "/welcome.html"}
http_filters:
- name: envoy.router
config: {}
vovata
on 12 Feb 2020
Related issues
sabiurr
·
3Comments
rshriram
·
3Comments
hawran
·
3Comments
weixiao-huang
·
3Comments
boncheo
·
3Comments
Most helpful comment
@prateek33 check this sample:
``` - name: listener_x
address:
socket_address: { address: "::", ipv4_compat: true, port_value: 443 }
listener_filters:
- name: envoy.listener.tls_inspector
config: {}
filter_chains:
- filter_chain_match:
transport_protocol: raw_buffer
filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
codec_type: auto
route_config:
name: local_redirect
virtual_hosts:
- name: local_http
domains: [""]
routes:
- match: { prefix: "/" }
redirect: { https_redirect: true }
http_filters:
- name: envoy.router
config: {}
- filter_chain_match:
transport_protocol: tls
filters:
- name: envoy.http_connection_manager
config:
stat_prefix: ingress_http
codec_type: auto
route_config:
name: local_route
virtual_hosts:
- name: local_path
domains: [""]
routes:
- match: { path: "/" }
redirect: { path_redirect: "/welcome.html"}
http_filters:
- name: envoy.router
config: {}