Redirecting HTTP to HTTPS

Hi,

I have a working setup on GKE. Kong-ingress-controller 0.3 and Kong-proxy 1.0.0.

My last step is to setup HTTP so that clients (browser in this case) are always redirected to HTTPS. Both http and https work separately, but I would like to “disable” http by doing the redirect thing.

I have created ingress for my service with the following annotations (I tried my luck with force-ssl-redirect that should work with nginx, but it didn’t work for kong):

annotations:
  kubernetes.io/ingress.class:"kong"
  kong.ingress.kubernetes.io/force-ssl-redirect: "true"
  configuration.konghq.com: "kong-configuration"

I don’t see anything redirect related options in KongIngress (“kong-configuration” that I am referring from this ingress, and trying to explore things)

What is the proper way to setup http -> https redirect. Maybe using plugins? which one?

kong.ingress.kubernetes.io/force-ssl-redirect annotation is no supported by Kong Ingress as it’s not a standard annotation.

You can use Request termination plugin in Kong to send back a 302 HTTPS redirect for any plaintext request.

Please mark the post as resolved if this helps you, thanks!

Hi hbagdi,

I’m also having some trouble with this too. I just want to be sure if this is the correct configuration:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
    name: redirect-https
    namespace: kong
config:
     status_code : 302
plugin: request-termination

Thank you in advance!
Tarek M.

@hbagdi Bump on this thread. I would also like to force all HTTP requests to HTTPS for some of my services. Is using the Request Termination plugin the recommended approach for this behavior? If so, can you provide a sample configuration for the plugin?

1 Like

You could apply the following plugin for SSL redirect:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: https-redirect
plugin: pre-function
config:
  functions:
  - |
    local forwarded_host = ngx.var.http_x_forwarded_host  or ngx.var.host
    ngx.header["Location"] = "https://" .. forwarded_host .. ngx.var.request_uri
    return kong.response.exit(302)

Please apply this plugin on an Ingress which accepts all paths and all hosts on the http protocol.

If this solves your problem, please mark the post as resolved, thank you!

Thanks. I’m giving this a try now and my endpoint is in a redirect loop. The http request gets 302 redirected to https, but then all https requests still get 302ed as well.

My bad, the plugin shouldn’t be applied globally, but on a route which accepts only HTTP traffic.

Which route have you applied this plugin to?

What do you mean by “not a standard annotation?” Having to add a plugin for this functionality means having to supplement anything you are installing via the curated helm charts.

@hbagdi I’m applying the plugin to a specific ingress that has TLS terminated at a load balancer in front of Kong. So I want Kong to redirect http -> https and then pass through the https requests.

@miles You want to look at KongIngress Custom Resource.
You should create an Ingress resource which accepts all hosts and / path and proxy it to a dummy upstream service (which will actually never receive any traffic). Then, you annotate the Ingress with a KongIngress resource, which sets route.protocols to http only. This creates a route in Kong which accepts all http traffic, and this is the route to which you apply the above plugin, and then you will not have a redirect loop.

Hope this helps.

Hello @greg,
ingress.kubernetes.io/force-ssl-redirect: "true" is not standardized by k8s community but we are seeing it proliferating now. We don’t currently support it but might consider adding it in future. Please consider opening a Github issue for a feature request if you’d like to.

i try with pre-function as mention here and it work ok.
just add pre-function plugin and submit this code:

local scheme = kong.request.get_scheme()
if scheme == "http" then
  local host = kong.request.get_host()
  local query = kong.request.get_path_with_query()
  local url = "https://" .. host ..query
  kong.response.set_header("Location",url)
  return kong.response.exit(302,url)
end
2 Likes

Happy to see @hbinduni’s solution for this.

To share an update and for others who stumble across this, with https://github.com/Kong/kong/pull/4424 merged in, Kong 1.2 comes with support for sending HTTPS redirect out of the box in Kong and Kong Ingress Controller will be updated to use that in future, which shall make HTTP to HTTPS redirection much simpler.

2 Likes

Now that I setup new environment I can test this (I found other solution earlier). I see that @hbinduni solution works. Complete KongPlugin manifest:

apiVersion: configuration.konghq.com/v1
kind: KongPlugin
metadata:
  name: https-redirect
plugin: pre-function
config:
  functions:
  - |
    local scheme = kong.request.get_scheme()
    if scheme == "http" then
      local host = kong.request.get_host()
      local query = kong.request.get_path_with_query()
      local url = "https://" .. host ..query
      kong.response.set_header("Location",url)
      return kong.response.exit(302,url)
    end

And apply the plugin to your existing ingresses. (All hosts dummy ingress did not work for me, probably playing with path priority would have fixed it). E.g. of using redirect with an ingress

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: my-app
  annotations:
    kubernetes.io/ingress.class: "kong"
    # this is my extra configs for the ingress
    configuration.konghq.com: "ingress-configuration"
    plugins.konghq.com: https-redirect
spec: <your-spec-here>

@alexjantunen. Hi, Can you please share an example of this line

`local url = "https://" .. host ..query`

For example If i have an Ingress aplicacion.linuxrocks.com that resolve to http:// but I need to be redirect to https://aplicacion.linuxrocks.com , on the line above what should I write.

Thanks in advance.

Update on my last question, I discover asking over the slack #kong room, that the code needs no modification to be able to redirect.

So I create the kongPlugin & update the Kubernetes Ingress with the code, the url get redirected.

Thanks to @alexjantunen + @hbagdi for the response over Slack.