Bypass kubernetes-https-redirect

[patrickdk77]

I have a singe host that handles an old application on http, and it ignores the redirect and errors out.

Is there a way I can add a route path to bypass the redirect and go to the container.

Looking at the source it seems like I should be able to, but I'm not really able to understand how to go about it in a kerbernetes ingress config.

[szuecs]

Can you try to add a Path() predicate to your route? More specific paths win against less specific paths additionally same or similar paths will check the more predicates you have in the routes. https://opensource.zalando.com/skipper/predicates/#path https://opensource.zalando.com/skipper/kubernetes/ingress-usage/#skipper-ingress-annotations

[patrickdk77]

I attempted this, and it's working as expected, or seems to be:

annotations: zalando.org/skipper-predicate: PathSubtree("/") && HeaderRegexp("User-Agent", "^Testing")

From my tests, matching the user-agent gets a response on http, and anyother useragent gets redirects to https as I wished for. Thanks.

I only found one thing missing in the documentation, if I wanted to add a second predicate to this, how can I do so, the documentation only talks about && to add conditions, but doesn't explain how I can add another condition that if match, or is this too much for the ingress spec?

[szuecs]

@patrickdk77 Did you find https://opensource.zalando.com/skipper/kubernetes/ingress-usage/#filters-and-predicates ?

[irishshagua]

Hey noticed similar issues with default redirect route today. Below is an example of some sample routes where the redirect (which we'd want to always take precedence for http traffic) is not being applied when more complex routes are matched exactly. Is there a way to ensure that all http traffic results in a redirect to https?

RedirectRoute: 
PathRegexp(/.*/) && Header("X-Forwarded-Proto", "http") && HeaderRegexp("X-Forwarded-Port", /.*/)
  -> redirectTo(308, "https:")
  -> <shunt>;

SampleRoute1: 
Host(/^example[.]org$/) && Method("GET") && Path("/**") && JWTPayloadAllKV("uid", "irishshagua")
  -> oauthTokeninfoAllScope("uid")
  -> "http://10.0.0.2:8080";

# Curl with a token which has a uid of irishshagua
curl -v -H "Authorization: Bearer $tok" http://example.org/api/abcd
*   Trying 10.0.0.1...
* TCP_NODELAY set
* Connected to example.org (10.0.0.1) port 80 (#0)
> GET /api/abcd HTTP/1.1
> Host: example.org
> User-Agent: curl/7.54.0
> Accept: */*
> Authorization: Bearer efgh2...9asdQ
>
< HTTP/1.1 200 OK
< Date: Tue, 04 Sep 2018 12:36:06 GMT
< Content-Type: text/plain
< Content-Length: 1033
< Connection: keep-alive
< Server: Skipper
<
Request served by hostname

HTTP/1.1 GET /api/abcd

Host: example.org
Accept: */*
X-Forwarded-For: 212.2.166.82
X-Forwarded-Proto: http
Accept-Encoding: gzip
User-Agent: curl/7.54.0
Authorization: Bearer efgh2...9asdQ
X-Forwarded-Port: 80

# Curl with no token
curl -v http://bmooney-fabric-example-project.smart-product-platform-test.zalan.do/api/abcd
*   Trying 10.0.0.1...
* TCP_NODELAY set
* Connected to example.org (10.0.0.1) port 80 (#0)
> GET /api/abcd HTTP/1.1
> Host: example.org
> User-Agent: curl/7.54.0
> Accept: */*
>
< HTTP/1.1 308 Permanent Redirect
< Date: Tue, 04 Sep 2018 12:36:26 GMT
< Content-Length: 0
< Connection: keep-alive
< Location: https://example.org/api/abcd
< Server: Skipper

[szuecs]

Related to #684

[herojan]

@szuecs Hi, this is still an issue in that we can't ensure that requests always use https. Are there any workarounds we could use short term?

[szuecs]

@herojan there is no technical solution to achieve this knowledge. You could try to use X-Forwarded-Proto: https from ALB, but what if we change the infrastructure to NLB, which we will do in the future? NLB does not work on HTTP and will not add headers there.

The second issue is that if you use cluster internal communication https://opensource.zalando.com/skipper/kubernetes/east-west-usage/ we have only http right now, because we do not terminate TLS at this level.

The only way would be to drop http entirely and try to do the redirect at ALB level, such that http traffic will never hit skipper.