Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Redirect: default HTTP->HTTPS redirect does not work if envoy is deployed on non-default host ports #1300

Closed
sudeeptoroy opened this issue Aug 7, 2019 · 11 comments
Closed

Redirect: default HTTP->HTTPS redirect does not work if envoy is deployed on non-default host ports #1300

sudeeptoroy opened this issue Aug 7, 2019 · 11 comments
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.

Comments

@sudeeptoroy
Copy link
Contributor

http redirect url is not composed correctly when envoy is deployed on non standard hostport (!80, !443).
Deployment steps:

  1. Reference deployment: https://github.com/heptio/contour/blob/master/examples/ds-hostnet-split/03-envoy.yaml
  2. Change hostports to different value; example:
    - containerPort: 80
    hostPort: 8000
    name: http
    protocol: TCP
    - containerPort: 443
    hostPort: 6443
    name: https
    protocol: TCP

developer's steps:

  1. Create ingressroute with redirect enabled for the http url; use wildcard
  2. Curl url
    Example: curl -L http://redirect-example.com:8000

Issue:
Redirect 301 is received with a wrong redirect port.
example
Received redirect url: https://redirect-example.com:8000
Expected url: https://redirect-example.com:6443

Environment:

  • Contour version: all
@stevesloka
Copy link
Member

Hey @sudeeptoroy, did you also change the ports that Envoy is configured to listen on? Here are the places you'd need to match: https://github.com/heptio/contour/blob/master/examples/ds-hostnet-split/03-contour.yaml#L36-L37

@stevesloka stevesloka added the kind/question Categorizes an issue as a user question. label Aug 7, 2019
@sudeeptoroy
Copy link
Contributor Author

yes, these changes were done too..

@sudeeptoroy
Copy link
Contributor Author

https://github.com/envoyproxy/envoy/blob/feb56a1f8ee2cf1ea2048e20b7ba05f8199355c6/api/envoy/api/v2/route/route.proto#L954

this seems to be missing while programming the envoy configuration for redirect

@stevesloka
Copy link
Member

Ahh, I'm following now @sudeeptoroy, yes, looks like we'd need to configure that setting for this to work properly.

@stevesloka stevesloka added kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed kind/question Categorizes an issue as a user question. labels Aug 7, 2019
@sudeeptoroy sudeeptoroy mentioned this issue Aug 16, 2019
Closed
@davecheney
Copy link
Contributor

@sudeeptoroy thank you for raising this issue. I believe that this should be possible to fix without having to add knowledge of the port envoy is listening on.

Before we move to a fix, can I please confirm the problem, which is

When Envoy is configured to redirect a request from HTTP to HTTPS it is appending a port number.

Is that correct?

@davecheney davecheney added blocked/needs-info Categorizes the issue or PR as blocked because there is insufficient information to advance it. and removed kind/feature Categorizes issue or PR as related to a new feature. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. labels Aug 19, 2019
@sudeeptoroy
Copy link
Contributor Author

When Envoy is configured to redirect a request from HTTP to HTTPS it is appending a port number.

For standard ports 80 and 443, no. This is correct behaviour.
However for cases where envoy if bound to a different hostport lets say 8000 and 6443 for http and https traffic; redirect is appending a port number but wrong one. In this case, after the redirect we would expect port 6443 but what we receive is 8000.

@davecheney
Copy link
Contributor

@sudeeptoroy I think the solution is to see if there is a way to prevent envoy adding any port to the redirect; ie http://foo.com -> https://foo.com shouldn't need a port.

@davecheney davecheney added kind/bug Categorizes issue or PR as related to a bug. priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. and removed blocked/needs-info Categorizes the issue or PR as blocked because there is insufficient information to advance it. labels Aug 22, 2019
@davecheney davecheney added this to the 1.0.0-beta.1 milestone Aug 22, 2019
@sudeeptoroy
Copy link
Contributor Author

@davecheney envoy would not add ports until you program it that way.

essentially https://github.com/envoyproxy/envoy/blob/feb56a1f8ee2cf1ea2048e20b7ba05f8199355c6/api/envoy/api/v2/route/route.proto#L954
need to be programmed only for cases when envoy is serving non standard ports; ie http://foo.com:8000 -> https://foo.com:6443

previously I had submitted this fix #1331
let me know if i should submit it again.

@davecheney davecheney modified the milestones: 1.0.0-beta.1, Backlog Sep 10, 2019
@davecheney
Copy link
Contributor

Thank you for explaining. I played around with the rewriting options in envoy and it looks inescapable that we'll have to record the host port that traffic is nat'd into envoy on. I don't think we can commit to doing this work before Contour 1.0, as it needs to be threaded through contour's config file, the listener visitor and the route visitor.

@jpeach jpeach changed the title Ingressroute http redirect does not work if envoy is deployed as ds on non-standard hostports Redirect: default HTTP->HTTPS redirect does not work if envoy is deployed on non-default host ports Oct 8, 2020
youngnick pushed a commit to youngnick/contour that referenced this issue Jan 19, 2021
design: Add design for multiple Envoy listeners
dfc7fab 
As part of implementing Service APIs, it's necessary to reconsider Contour's insecure to secure redirect functionality.
This document suggests keeping the functionality, while allowing additional listening ports to be defined.

Updates projectcontour#1300
Updates projectcontour#2922
Updates projectcontour#3086

Signed-off-by: Nick Young <ynick@vmware.com>
@youngnick youngnick mentioned this issue Jan 19, 2021
Closed
@skriss skriss removed this from the Backlog milestone Jul 25, 2022
@sunjayBhatia sunjayBhatia added priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete. and removed priority/important-soon Must be staffed and worked on either currently, or very soon, ideally in time for the next release. labels Sep 26, 2022
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Jul 27, 2024
@github-actions GitHub Actions
Copy link

The Contour project currently lacks enough contributors to adequately respond to all Issues.

This bot triages Issues according to the following rules:

  • After 60d of inactivity, lifecycle/stale is applied
  • After 30d of inactivity since lifecycle/stale was applied, the Issue is closed

You can:

  • Mark this Issue as fresh by commenting
  • Close this Issue
  • Offer to help out with triage

Please send feedback to the #contour channel in the Kubernetes Slack

@github-actions github-actions bot closed this as not planned Won't fix, can't repro, duplicate, stale Aug 26, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
kind/bug Categorizes issue or PR as related to a bug. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. priority/important-longterm Important over the long term, but may not be staffed and/or may need multiple releases to complete.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

cmd/contour: added support to set port redirect on envoy
5 participants
@davecheney @stevesloka @skriss @sunjayBhatia @sudeeptoroy