Http redirect in K8s

Traefik Traefik v1
1

I use Traefik 1.7 with Letsencrypt in K8s. It works when I do requests with https-prefix. However http is not redirected.
I configured redirection in toml-file and I do three annotations in my ingress-yml

Annotations:
kubernetes.io/ingress.class: traefik
traefik.ingress.kubernetes.io/redirect-entry-point: https
traefik.ingress.kubernetes.io/redirect-permanent: "true"

When I call with http-prefix answer is "found".

What is missing?

Here are two Logentries from traefik(first https, second http):

10.244.1.0 - - [17/Mar/2021:09:04:22 +0000] "GET / HTTP/2.0" 200 23 "-" "curl/7.58.0" 4 "xxx.xxx-xxx.org" "http://10.244.0.5:8080" 3ms
10.244.0.129 - - [17/Mar/2021:09:04:32 +0000] "GET / HTTP/1.1" 302 5 "-" "curl/7.58.0" 5 "entrypoint redirect for http" "/" 0ms

One remark: My K8s runs in Oracle-Cloud.

2

My maybe very simplified picture was: I can configure http-redirect global in toml-file. I did

[entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
      entryPoint = "https"
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]

Later I tried

[entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
      regex = "^http://(.*)"
      replacement = "https://$1"
      [entryPoints.https]
      address = ":443"
      [entryPoints.https.tls]

But redirect doesn't work this way.

And I thought that I can configure http-redirect per ingress with a annotation in Ingress-yml.
Worked neither.

Any advise?

3

For redirection at the ingress level try this:

annotations:
ingress.kubernetes.io/ssl-redirect: "true"
ingress.kubernetes.io/force-ssl-redirect: "true"

4

I tried it, but no success.

k describe ingress kubia-ingress
Warning: extensions/v1beta1 Ingress is deprecated in v1.14+, unavailable in v1.22+; use networking.k8s.io/v1 Ingress
Name:             kubia-ingress
Namespace:        default
Address:          
Default backend:  kubia:80 (10.244.0.133:8080,10.244.0.7:8080,10.244.1.6:8080)
Rules:
  Host                          Path  Backends
  ----                          ----  --------
  xxx.yyy.org  
                                /      kubia:80 (10.244.0.133:8080,10.244.0.7:8080,10.244.1.6:8080)
                                /bee   bee:80 (10.244.0.134:8080,10.244.0.8:8080,10.244.1.15:8080)
Annotations:                    ingress.kubernetes.io/force-ssl-redirect: true
                                ingress.kubernetes.io/ssl-redirect: true
                                kubernetes.io/ingress.class: traefik
Events:                         <none>

https works, http-redirect dows not. Here are the two log entries, first is http-curl-call, second is https-curl-call.

10.244.0.128 - - [23/Mar/2021:09:30:25 +0000] "GET / HTTP/1.1" 302 5 "-" "curl/7.61.1" 1 "entrypoint redirect for http" "/" 0ms
10.244.0.0 - - [23/Mar/2021:09:30:29 +0000] "GET / HTTP/2.0" 200 23 "-" "curl/7.61.1" 2 "xxx.yyy.org/" "http://10.244.1.6:8080" 1ms

5

Please look also here. Because I got no response here in the forum I duplicated my question(sorry):

6

can you post your curl commands and output?

try using curl -L -v http://xxx.yyy.org

7

Just to be sure: I want only TLS-communication when a client from outside requests via http. In this case it should be redirect to https. The communication inside K8s should be http.
I thought this is simply done globally by confgiration in the toml-file of traefik with this

[entryPoints]
      [entryPoints.http]
      address = ":80"
      [entryPoints.http.redirect]
         entryPoint = "https"
8 
*   Trying 10.214.1.52...
* TCP_NODELAY set
* Connected to aprilinternal.doctor-bee.org (10.214.1.52) port 80 (#0)
> GET / HTTP/1.1
> Host: aprilinternal.doctor-bee.org
> User-Agent: curl/7.61.1
> Accept: */*
> 
< HTTP/1.1 302 Found
< Location: https://aprilinternal.doctor-bee.org/
< Date: Tue, 23 Mar 2021 09:57:42 GMT
< Content-Length: 5
< Content-Type: text/plain; charset=utf-8
< 
* Ignoring the response-body
* Connection #0 to host aprilinternal.doctor-bee.org left intact
* Issue another request to this URL: 'https://aprilinternal.doctor-bee.org/'
*   Trying 10.214.1.52...
* TCP_NODELAY set
* Connected to aprilinternal.doctor-bee.org (10.214.1.52) port 443 (#1)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/pki/tls/certs/ca-bundle.crt
  CApath: none
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (OUT), TLS alert, unknown CA (560):
* SSL certificate problem: self signed certificate
* Closing connection 1
curl: (60) SSL certificate problem: self signed certificate
More details here: https://curl.haxx.se/docs/sslcerts.html

curl failed to verify the legitimacy of the server and therefore could not
establish a secure connection to it. To learn more about this situation and
how to fix it, please visit the web page mentioned above.
9

I just had to add --insecure to curl!

10 
[opc@bastionhost ~]$ curl -L  --insecure http://aprilinternal.doctor-bee.org/
You've hit kubia-85ntl
[opc@bastionhost ~]$ curl --insecure http://aprilinternal.doctor-bee.org/
Found[opc@bastionhost ~]$

I have to apply both options... -L and --insecure

I ommited the -L option the first time...

11

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.