Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cleartext redirection is not working (w/use_proxy_proto: true) #3125

Closed
DanTulovsky opened this issue Dec 29, 2020 · 7 comments
Closed

Cleartext redirection is not working (w/use_proxy_proto: true) #3125

DanTulovsky opened this issue Dec 29, 2020 · 7 comments

Comments

@DanTulovsky
Copy link

Hi,

Cleartext redirection doesn't seem to be working for me. The symptoms are the same as in this old issue.

Is this still broken by chance, or am I doing something wrong?

Thank you
Dan

Version: 1.9.1. All http:// requests get a 404, while all https:// ones work.

Mapping:

apiVersion: getambassador.io/v2
kind: Mapping
metadata:
  name: wetsnow.com
spec:
  prefix: /
  host: www.wetsnow.com
  resolver: endpoint
  service: nginx.web:80

Host:

apiVersion: getambassador.io/v2
kind: TLSContext
metadata:
  name: www.wetsnow.com-context # for the host above
spec:
  hosts:
  - "www.wetsnow.com"
  secret: www.wetsnow.com
  alpn_protocols: h2,http/1.1 # required for C# grpc client

curl request:

% curl -v -I http://www.wetsnow.com                                                                                                  
*   Trying 167.99.20.238...
* TCP_NODELAY set
* Connected to www.wetsnow.com (167.99.20.238) port 80 (#0)
> HEAD / HTTP/1.1
> Host: www.wetsnow.com
> User-Agent: curl/7.64.1
> Accept: */*
>
< HTTP/1.1 404 Not Found
HTTP/1.1 404 Not Found
< content-security-policy: frame-ancestors 'none'
content-security-policy: frame-ancestors 'none'
< content-type: text/html; charset=utf-8
content-type: text/html; charset=utf-8
< x-frame-options: deny
x-frame-options: deny
< date: Tue, 29 Dec 2020 04:06:40 GMT
date: Tue, 29 Dec 2020 04:06:40 GMT
< x-envoy-upstream-service-time: 0
x-envoy-upstream-service-time: 0
< x-content-type-options: nosniff
x-content-type-options: nosniff
< server: envoy
server: envoy
< transfer-encoding: chunked
transfer-encoding: chunked

Ambassador log line:

ACCESS [2020-12-29T04:06:40.893Z] "HEAD / HTTP/1.1" 404 - 0 0 1 0 "96.239.115.74" "curl/7.64.1" "f11b5605-de60-4cbf-b2da-1fe425c04b81" "www.wetsnow.com" "127.0.0.1:8500"

Match from diag screen:

{
    "match": {
        "case_sensitive": true,
        "headers": [
            {
                "exact_match": "www.wetsnow.com",
                "name": ":authority"
            }
        ],
        "prefix": "/",
        "runtime_fraction": {
            "default_value": {
                "denominator": "HUNDRED",
                "numerator": 100
            },
            "runtime_key": "routing.traffic_shift.cluster_nginx_web_80_default"
        }
    },
    "route": {
        "cluster": "cluster_nginx_web_80_default",
        "prefix_rewrite": "/",
        "priority": null,
        "timeout": "3.000s"
    }
}
@DanTulovsky
Copy link
Author

fyi, removing:

apiVersion: getambassador.io/v2
kind: TLSContext
metadata:
  name: www.wetsnow.com-context # for the host above
spec:
  hosts:
    - "www.wetsnow.com"
    - "wetsnow.com"
  secret: www.wetsnow.com
  alpn_protocols: h2,http/1.1 # required for C# grpc client

fixes the issue. But it does mean I can't set the custom alpn_protocols setting.

@kflynn
Copy link
Member

kflynn commented Dec 29, 2020

Hmmm. What do these three

curl https://www.wetsnow.com
curl http://www.wetsnow.com/
curl https://www.wetsnow.com/

do for you? Note the trailing slashes, as well as the scheme...

@DanTulovsky
Copy link
Author

DanTulovsky commented Dec 29, 2020 via email

@DanTulovsky
Copy link
Author

I'll leave it in the broken state in case you want to try some queries yourself...

@stale
Copy link

stale bot commented Mar 19, 2021

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

@stale stale bot added the stale Issue is stale and will be closed label Mar 19, 2021
@ghostsquad
Copy link

Is this still stale? Is there an ongoing issue with proxy protocol and redirection? I'm asking because in this section of the docs, it's indicating that it is HTTP -> HTTPS redirection is not possible when terminating TLS at a L4 load balancer

https://www.getambassador.io/docs/edge-stack/latest/topics/running/ambassador-with-aws/#l4-load-balancer-default-elb-or-nlb

Because L4 load balancers do not set X-Forwarded headers, Ambassador Edge Stack will not be able to distinguish between traffic that came in to the load balancer as encrypted or cleartext. Because of this, HTTP -> HTTPS redirection is not possible when terminating TLS at a L4 load balancer.

But from this issue, it seems it is possible, or somewhat possible with some restrictions or gotchas or something?

@cindymullins-dw
Copy link
Contributor

@DanTulovsky , do you get the same behavior using a host resource vs using a TLSContext resource? This is an L7 load balancer, correct? Does the issue persist on 2.x versions?

@dosubot dosubot bot closed this as not planned Won't fix, can't repro, duplicate, stale Jul 1, 2024
@dosubot dosubot bot removed the stale Issue is stale and will be closed label Jul 1, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@DanTulovsky @ghostsquad @kflynn @cindymullins-dw