400 The plain HTTP request was sent to HTTPS port

Questions
1

After Deploy:

If we access getting following:
curl -v https://XXXXXX.us-east-1.aws.XXXXXX.com/

  • Host XXXXXX.us-east-1.aws.XXXXXX:443 was resolved.
  • IPv6: (none)
  • IPv4: 100.88.109.36, 100.88.109.235
  • Trying 100.88.109.36:443…
  • Connected to XXXXXX.us-east-1.aws.XXXXXX (100.88.109.36) port 443
  • ALPN: curl offers h2,http/1.1
  • (304) (OUT), TLS handshake, Client hello (1):
  • CAfile: /etc/ssl/cert.pem
  • CApath: none
  • (304) (IN), TLS handshake, Server hello (2):
  • TLSv1.2 (IN), TLS handshake, Certificate (11):
  • TLSv1.2 (IN), TLS handshake, Server key exchange (12):
  • TLSv1.2 (IN), TLS handshake, Server finished (14):
  • TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
  • TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (OUT), TLS handshake, Finished (20):
  • TLSv1.2 (IN), TLS change cipher, Change cipher spec (1):
  • TLSv1.2 (IN), TLS handshake, Finished (20):
  • SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256 / [blank] / UNDEF
  • ALPN: server did not agree on a protocol. Uses default.
  • Server certificate:
  • subject: CN=XXXXXX.us-east-1.aws.xxxxx
  • start date: Jul 15 00:00:00 2025 GMT
  • expire date: Aug 13 23:59:59 2026 GMT
  • subjectAltName: host “” matched cert’s “”
  • issuer: C=US; O=Amazon; CN=Amazon RSA 2048 M03
  • SSL certificate verify ok.
  • using HTTP/1.x

GET / HTTP/1.1
Host:
User-Agent: curl/8.7.1
Accept: /

  • Request completely sent off
    < HTTP/1.1 400 Bad Request
    < Date: Wed, 16 Jul 2025 12:53:53 GMT
    < Content-Type: text/html; charset=UTF-8
    < Content-Length: 220
    < Connection: close
    < X-Kong-Response-Latency: 0
    < Server: kong/3.9.1
    < X-Kong-Request-Id: 20419857b079976fdf08346ef577ad62
    <
400 The plain HTTP request was sent to HTTPS port

400 Bad Request

The plain HTTP request was sent to HTTPS port * Closing connection * TLSv1.2 (IN), TLS alert, close notify (256): * TLSv1.2 (OUT), TLS alert, close notify (256):

please check give the suggestion for this issue

2

apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
name: keycloak-gateway
namespace: demo
spec:
gatewayClassName: kong
listeners:
- name: https
port: 443
protocol: HTTPS
hostname: xxxxxx
allowedRoutes:
namespaces:
from: All
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: keycloak-ca
- name: http
port: 80
protocol: HTTP
hostname: xxxxxx
allowedRoutes:
namespaces:
from: All

FIXED: HTTPRoute with correct service reference

apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: keycloak-main-route
namespace: demo
spec:
parentRefs:
- name: keycloak-gateway
namespace: demo # Cross-namespace Gateway reference
hostnames:
- sxxxxxx
rules:
- matches:
- path:
type: PathPrefix
value: /
backendRefs:
- name: ss-ingress-service
namespace: demo
port: 8443
weight: 1