Proxy Protocol Causes Issues with Cleartext Redirection in 0.50.0

[iNoahNothing]

Describe the bug
When enabling http -> https redirection in the tls module with redirect_cleartext_from: 80, there appears to be an issue that comes up when use_proxy_proto: true is set in the ambassador Module and the LB is enabling proxy protocol.

HTTPS requests work perfectly fine but http requests return a 400 instead of a 301 redirect to https.

To Reproduce

1. Enable proxy protocol in LB configurations

  annotations:
    service.beta.kubernetes.io/aws-load-balancer-backend-protocol: "tcp"
    service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"

2. Set use_proxy_proto: true in ambassador Module:

      ---
      apiVersion: ambassador/v0
      kind:  Module
      name:  ambassador
      config:
        use_remote_address: true
        use_proxy_proto: true

3. Terminate TLS at Ambassador and enabled redirect_cleartext_from: 80:

      ---
      apiVersion: ambassador/v0
      kind: Module
      name: tls
      config:
        server:
          enabled: true
          redirect_cleartext_from: 80
          secret: domain1-cert

4. Request over https route correctly, http requests return a 400.

When you remove service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" and use_proxy_proto: true, http redirects correctly.

Versions (please complete the following information):

• Ambassador: 0.50.0
• Kubernetes environment EKS
• Version 1.11.1

Additional context
This has existed in all versions of 0.50.0

[iNoahNothing]

Update. If you are terminating TLS at the ELB, setting the service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*" annotation causes a 400 for all requests.

Ambassador logs this access log: ACCESS [2019-01-16T15:21:06.919Z] "- - HTTP/1.1" 0 - 0 0 0 - "-" "-" "-" "-" "-"

[concaf]

Quick update, this fails because use_proxy_proto is not set in the redirect listener. The fix is done, adding tests and it should be good to go.

[concaf]

Should be fixed in #1132 #1133, @nbkrause can you confirm?

[iNoahNothing]

Can confirm. This has been fixed on master.

[concaf]

Thanks :)

[kflynn]

Leaving in "done" instead of "closed" because we haven't shipped it yet...

[kflynn]

Fixed in RC6

[DanTulovsky]

This is still not working for me in 1.9.1. All http:// requests get a 404, while all https:// ones work.

Mapping:

apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: wetsnow.com
spec:
  prefix: /
  host: www.wetsnow.com
  resolver: endpoint
  service: nginx.web:80

Host:

apiVersion: getambassador.io/v2
kind: TLSContext
metadata:
  name: www.wetsnow.com-context # for the host above
spec:
  hosts:
  - "www.wetsnow.com"
  secret: www.wetsnow.com
  alpn_protocols: h2,http/1.1 # required for C# grpc client

curl request:

% curl -v -I http://www.wetsnow.com                                                                                                  
*   Trying 167.99.20.238...
* TCP_NODELAY set
* Connected to www.wetsnow.com (167.99.20.238) port 80 (#0)
> HEAD / HTTP/1.1
> Host: www.wetsnow.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< content-security-policy: frame-ancestors 'none'
content-security-policy: frame-ancestors 'none'
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< x-frame-options: deny
x-frame-options: deny
< date: Tue, 29 Dec 2020 04:06:40 GMT
date: Tue, 29 Dec 2020 04:06:40 GMT
< x-envoy-upstream-service-time: 0
x-envoy-upstream-service-time: 0
< x-content-type-options: nosniff
x-content-type-options: nosniff
< server: envoy
server: envoy
< transfer-encoding: chunked
transfer-encoding: chunked

Ambassador log line:

ACCESS [2020-12-29T04:06:40.893Z] "HEAD / HTTP/1.1" 404 - 0 0 1 0 "96.239.115.74" "curl/7.64.1" "f11b5605-de60-4cbf-b2da-1fe425c04b81" "www.wetsnow.com" "127.0.0.1:8500"

Match from diag screen:

{
    "match": {
        "case_sensitive": true,
        "headers": [
            {
                "exact_match": "www.wetsnow.com",
                "name": ":authority"
            }
        ],
        "prefix": "/",
        "runtime_fraction": {
            "default_value": {
                "denominator": "HUNDRED",
                "numerator": 100
            },
            "runtime_key": "routing.traffic_shift.cluster_nginx_web_80_default"
        }
    },
    "route": {
        "cluster": "cluster_nginx_web_80_default",
        "prefix_rewrite": "/",
        "priority": null,
        "timeout": "3.000s"
    }
}