search

GoogleCloudPlatform / gke-managed-certs

Managed Certificates for Kubernetes clusters using GCLB
Apache License 2.0
246 stars 32 forks source link

WWW non-WWW Redirection over HTTPS #26

Closed alexwennerberg closed 5 years ago

alexwennerberg commented 5 years ago

Hi!

I'm trying to set up a web server at www.[domain].com. I followed the instructions on this article: https://cloud.google.com/kubernetes-engine/docs/how-to/managed-certs and got everything working.

There are four ways someone may commonly access my site:

http://[domain].com http://www.[domain].com https://[domain].com https://www.[domain].com

Redirecting http://[domain].com to http://www.[domain].com is easily handled via DNS records. However, right now, running curl https://[domain].com gives an invalid cert error, since my certificate is only configured for www.[domain].com. For many browsers, this isn't an issue (eg, Chrome handled the redirect) but in Firefox for example, this redirect wasn't handled by my browser. How can I use managed certs to redirect https://[domain].com to https://www.[domain].com? According to Google's documentation: "Managed certificates support a single, non-wildcard domain. Refer to the managed certificates page for information on how to use them." Although I am relatively inexperienced in this field, this seems inconsistent with web best practices, which should use HTTPS and should redirect [domain].com to www.[domain].com or vise versa. Am I misunderstanding or misusing this service?

Thanks!

alexwennerberg commented 5 years ago

Figured out there's an inconsistency between the GitHub documentation and the GCP documentation

abevoelker commented 5 years ago

GCP's Ingress can't do those types of redirects. You'll have to handle redirects from your own webserver unfortunately.

You'll have to create a separate ManagedCertificate for each domain given the current limitations on that. But your Ingress can terminate both of your domains. Might look something like:

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: example-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: example-ip-address
    networking.gke.io/managed-certificates: cert1,cert2
spec:
  rules:
  - host: domain.com
    http:
      paths:
      - backend:
          serviceName: your-service
          servicePort: 80
  - host: www.domain.com
    http:
      paths:
      - backend:
          serviceName: your-service
          servicePort: 80
---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: cert1
spec:
  domains:
    - domain.com
---
apiVersion: networking.gke.io/v1beta1
kind: ManagedCertificate
metadata:
  name: cert2
spec:
  domains:
    - www.domain.com
alexwennerberg commented 5 years ago

Thank you! This is what I figured out, I just found the GCP documentation misleading, which says "Managed certificates support a single, non-wildcard domain"