Daniel's Tech Blog

Cloud Computing, Cloud Native & Kubernetes

Using HTTP status code 307/308 for HTTPS redirect with the Istio ingress gateway

The gateway definition for the Istio ingress gateway provides a configuration parameter to enable the HTTPS redirect of HTTP connections.

-> https://istio.io/latest/docs/reference/config/networking/gateway/#ServerTLSSettings

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: azst-aks-gateway
  namespace: istio-config
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - hosts:
    - "*.danielstechblog.de"
    port:
      number: 80
      name: http
      protocol: HTTP
    tls:
      httpsRedirect: true
  - hosts:
    - "*.danielstechblog.de"
    port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: istio-ingress-cert

When the httpsRedirect parameter is true, the Istio ingress gateway sends a 301 redirect for HTTP connections to use HTTPS.

For most scenarios, this is sufficient enough. The downside of using a 301 redirect is that a POST method might arrive as a GET request at the HTTPS endpoint and cause unexpected behavior from a user perspective. Even though the specification requires that the method and body remain unchanged, not all user agents follow this. It applies to the 302 redirect as well.

-> https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/301
-> https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/302

To provide an expected and consistent user experience you use a 307 or 308 redirect. Both redirects guarantee that the method and body remain unchanged. Unfortunately, some web applications use the 308 redirect in a non-standard way. Hence, using the 307 redirect is the most generic way.

-> https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/307
-> https://developer.mozilla.org/en-US/docs/Web/HTTP/Status/308

Let us now dive into the configuration for the Istio ingress gateway.

Using a 307/308 HTTP redirect on Istio

When we want to provide a custom redirect like the 307 redirect, we need two gateway definitions: One for the actual HTTP to HTTP redirect and a second one that handles the ingress routing to the correct application.

The issue with only having one gateway definition is that the HTTP to HTTPS redirect acts as a catch-all directive in the routing chain. In the case of a matching entry in the routing chain, requests to an application would be served unencrypted via HTTP instead of encrypted via HTTPS.

Below is the first gateway definition for the 307 redirect.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: azst-aks-gateway-redirect
  namespace: istio-config
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - hosts:
    - "*.danielstechblog.de"
    port:
      number: 80
      name: http
      protocol: HTTP

Here is the second one for the actual ingress routing.

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: azst-aks-gateway
  namespace: istio-config
spec:
  selector:
    istio: ingressgateway # use Istio default gateway implementation
  servers:
  - hosts:
    - "*.danielstechblog.de"
    port:
      number: 443
      name: https
      protocol: HTTPS
    tls:
      mode: SIMPLE
      credentialName: istio-ingress-cert

Now, we apply the following virtual service definition to the gateway that does the 307 redirect.

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: redirect
  namespace: istio-config
spec:
  gateways:
    - azst-aks-gateway-redirect
  hosts:
    - "*.danielstechblog.de"
  http:
    - name: redirect
      redirect:
        redirectCode: 307
        scheme: https

A quick validation with the following curl command shows that the 307 redirect works.

❯ curl -sIL http://aks.danielstechblog.de
HTTP/1.1 307 Temporary Redirect
location: https://aks.danielstechblog.de/
date: Tue, 05 Dec 2023 21:12:52 GMT
server: istio-envoy
transfer-encoding: chunked

HTTP/2 200
date: Tue, 05 Dec 2023 21:12:52 GMT
content-length: 1487
content-type: text/html; charset=utf-8
x-envoy-upstream-service-time: 12
server: istio-envoy

Browser with debug tools - networking tab

Summary

We have to keep several things in mind for the 307 redirect implementation, and it might be that the built-in 301 redirect is enough for your use cases. So, you can go with that or with a few configuration changes using a custom redirect.

You can find the example configurations in my GitHub repository.

-> https://github.com/neumanndaniel/kubernetes/tree/master/istio-custom-redirect


Posted

in

WordPress Cookie Notice by Real Cookie Banner