What is the default service in case "Host: " header doesn't match any Ingress resource

b10s · November 18, 2019, 8:18am

What is the default service in case "Host: " header doesn't match any Ingress resource?

I have traefik 1.5.4

b10s · November 18, 2019, 8:33am

Also how coexist Ingress resources without rules - host is * - with resources with rules - host has some value?

May it be that trefik takes random Ingress resource without rule in case it can not find host in other rules?

dduportal · November 19, 2019, 5:28pm

=> When there is no frontend rule matching a request, then Traefik answers a HTTP/404 with the string "404 Not Found" in the response body. See the explanation below if you want to define a default route.

Traefik generates a list of frontend rules mapped from the Ingress:

For each ingress' rule, a corresponding frontend rule is generated
For a given Ingress rule:
- If they are multiple paths, the Traefik's frontend rule got the paths with logical OR
- If there is a host: directive found, then the Traefik's frontend rule has a Host: matcher
- If there is a path, then a PathPrefix matcher is added.

It means that ingresses with no host specified will lead to a Traefik frontend rule with only a PathPrefix. From both perspectives Kubernetes or Traefik), such a rule is a "catch all hosts": rule=PathPrefix:/api is matched for both http://company.org/api as well as https://private.org.domain/api.

How does Traefik determines which rule to take when 2 rules are matching a request? Answer is with the priority: Basics - Træfik | Traefik | v1.5 . The rule priority is simple: longest rule (in term of characters) win.

Of course, with Traefik v1.x, you can change the rule and priorities in Kubernetes Ingresses by using annotations: Backend: Kubernetes Ingress - Træfik | Traefik | v1.5.

Defining a default rule

With this in mind you can define a default rule by adding an Ingress with the lowest priority possible that would only have a path: / and no host: it will map to a Traefik frontend rule in PathPrefix:/ with lowest priority. Any request not matched by other rules will fallback to this one.

Alternatively, you can define custom error pages (Commons - Træfik | Traefik | v1.5 with the HTTP/404 code, but be informed that it will be for ALL 404.

b10s · November 20, 2019, 2:42am

@dduportal thank you for the explanation.

Have the following four Ingress resources:

rule for host 'foo', comes to backend service 'A'
rule for host 'bar', comes to backend service 'B'
rule with no host specified, comes to backend service 'C'
another rule with no host specified, comes to backend service 'D'

when I do curl with Host header specified as baz - which does not match any Ingress resource's rule with host - request randomly goes either to 'C' or 'D' service.

Example of the rule without host:

apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: test-ingress
spec:
  backend:
    serviceName: testsvc
    servicePort: 80

In multi-tenant cluster each tenant able to define such Ingress resource without host. It means request for unknown host will be randomly passed to a service with no host specified.

Is it desired behavior when we can define multiple Ingress resources without host (see example above) ?

Topic		Replies	Views
Using HTTP Header for Ingress Rule Traefik v1 kubernetes-ingress	0	861	July 2, 2020
IngressRoute to match anything not working Traefik v2 kubernetes-ingress	6	1502	September 21, 2023
Default container / Wildcard Host rule Traefik v2 docker	3	195	August 13, 2024
Traefik as ingress Traefik v2 kubernetes-ingress	0	702	December 9, 2019
No Domain found in rule HostRegexp Traefik v2 kubernetes-ingress	2	2584	June 26, 2022

What is the default service in case "Host: " header doesn't match any Ingress resource

Related topics