The gateway definition for the Istio ingress gateway provides a configuration parameter to enable the HTTPS redirect of HTTP connections.
-> https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: azst-aks-gateway
namespace: istio-config
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- hosts:
- "*.danielstechblog.de"
port:
number: 80
name: http
protocol: HTTP
tls:
httpsRedirect: true
- hosts:
- "*.danielstechblog.de"
port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: istio-ingress-cert
When the httpsRedirect parameter is true, the Istio ingress gateway sends a 301 redirect for HTTP connections to use HTTPS.
For most scenarios, this is sufficient enough. The downside of using a 301 redirect is that a POST method might arrive as a GET request at the HTTPS endpoint and cause unexpected behavior from a user perspective. Even though the specification requires that the method and body remain unchanged, not all user agents follow this. It applies to the 302 redirect as well.
-> https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301
-> https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302
To provide an expected and consistent user experience you use a 307 or 308 redirect. Both redirects guarantee that the method and body remain unchanged. Unfortunately, some web applications use the 308 redirect in a non-standard way. Hence, using the 307 redirect is the most generic way.
-> https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307
-> https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308
Let us now dive into the configuration for the Istio ingress gateway.
Using a 307/308 HTTP redirect on Istio
When we want to provide a custom redirect like the 307 redirect, we need two gateway definitions: One for the actual HTTP to HTTP redirect and a second one that handles the ingress routing to the correct application.
The issue with only having one gateway definition is that the HTTP to HTTPS redirect acts as a catch-all directive in the routing chain. In the case of a matching entry in the routing chain, requests to an application would be served unencrypted via HTTP instead of encrypted via HTTPS.
Below is the first gateway definition for the 307 redirect.
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: azst-aks-gateway-redirect
namespace: istio-config
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- hosts:
- "*.danielstechblog.de"
port:
number: 80
name: http
protocol: HTTP
Here is the second one for the actual ingress routing.
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
name: azst-aks-gateway
namespace: istio-config
spec:
selector:
istio: ingressgateway # use Istio default gateway implementation
servers:
- hosts:
- "*.danielstechblog.de"
port:
number: 443
name: https
protocol: HTTPS
tls:
mode: SIMPLE
credentialName: istio-ingress-cert
Now, we apply the following virtual service definition to the gateway that does the 307 redirect.
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
name: redirect
namespace: istio-config
spec:
gateways:
- azst-aks-gateway-redirect
hosts:
- "*.danielstechblog.de"
http:
- name: redirect
redirect:
redirectCode: 307
scheme: https
A quick validation with the following curl command shows that the 307 redirect works.
❯ curl -sIL http://aks.danielstechblog.de HTTP/1.1 307 Temporary Redirect location: https://aks.danielstechblog.de/ date: Tue, 05 Dec 2023 21:12:52 GMT server: istio-envoy transfer-encoding: chunked HTTP/2 200 date: Tue, 05 Dec 2023 21:12:52 GMT content-length: 1487 content-type: text/html; charset=utf-8 x-envoy-upstream-service-time: 12 server: istio-envoy
Summary
We have to keep several things in mind for the 307 redirect implementation, and it might be that the built-in 301 redirect is enough for your use cases. So, you can go with that or with a few configuration changes using a custom redirect.
You can find the example configurations in my GitHub repository.
-> https://github.com/neumanndaniel/kubernetes/tree/master/istio-custom-redirect