AWS L7 ELB HTTP -> HTTPS redirection #1571
Assignees
Milestone
Comments
|
@kflynn This is the behavior I was seeing earlier. Once you set Before setting {
"@type": "/envoy.config.bootstrap.v2.Bootstrap",
"static_resources": {
"clusters": [
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"http2_protocol_options": {},
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_127_0_0_1_8501",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 8501,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_127_0_0_1_8501",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_127_0_0_1_8877",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 8877,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_127_0_0_1_8877",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_NoTaReAlSeRvIcE",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "notarealservice",
"port_value": 80,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_NoTaReAlSeRvIcE",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"http2_protocol_options": {},
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_extauth_127_0_0_1_8500",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 8500,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_extauth_127_0_0_1_8500",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_httpbin_org_80",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "httpbin.org",
"port_value": 80,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_httpbin_org_80",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_qotm",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "qotm",
"port_value": 80,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_qotm",
"type": "STRICT_DNS"
}
],
"listeners": [
{
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": 8080,
"protocol": "TCP"
}
},
"filter_chains": [
{
"filters": [
{
"config": {
"access_log": [
{
"config": {
"format": "ACCESS [%START_TIME%] \"%REQ(:METHOD)% %REQ(X-ENVOY-ORIGINAL-PATH?:PATH)% %PROTOCOL%\" %RESPONSE_CODE% %RESPONSE_FLAGS% %BYTES_RECEIVED% %BYTES_SENT% %DURATION% %RESP(X-ENVOY-UPSTREAM-SERVICE-TIME)% \"%REQ(X-FORWARDED-FOR)%\" \"%REQ(USER-AGENT)%\" \"%REQ(X-REQUEST-ID)%\" \"%REQ(:AUTHORITY)%\" \"%UPSTREAM_HOST%\"\n",
"path": "/dev/fd/1"
},
"name": "envoy.file_access_log"
}
],
"http_filters": [
{
"config": {},
"name": "envoy.grpc_web"
},
{
"config": {
"grpc_service": {
"envoy_grpc": {
"cluster_name": "cluster_extauth_127_0_0_1_8500"
},
"timeout": "5.000s"
},
"use_alpha": true
},
"name": "envoy.ext_authz"
},
{
"config": {
"domain": "ambassador",
"rate_limit_service": {
"grpc_service": {
"envoy_grpc": {
"cluster_name": "cluster_127_0_0_1_8501"
}
}
},
"request_type": "both",
"timeout": "0.020s"
},
"name": "envoy.rate_limit"
},
{
"name": "envoy.cors"
},
{
"name": "envoy.router"
}
],
"http_protocol_options": {
"accept_http_10": false
},
"normalize_path": true,
"route_config": {
"virtual_hosts": [
{
"domains": [
"*"
],
"name": "backend",
"routes": [
{
"match": {
"case_sensitive": true,
"prefix": "/ambassador/v0/check_ready"
},
"route": {
"prefix_rewrite": "/ambassador/v0/check_ready",
"priority": null,
"rate_limits": [
{
"actions": [
{
"request_headers": {
"descriptor_key": "x_limited_user",
"header_name": "x-limited-user"
}
}
],
"stage": 0
}
],
"timeout": "10.000s",
"weighted_clusters": {
"clusters": [
{
"name": "cluster_127_0_0_1_8877",
"weight": 100
}
]
}
}
},
{
"match": {
"case_sensitive": true,
"prefix": "/ambassador/v0/check_alive"
},
"route": {
"prefix_rewrite": "/ambassador/v0/check_alive",
"priority": null,
"rate_limits": [
{
"actions": [
{
"request_headers": {
"descriptor_key": "x_limited_user",
"header_name": "x-limited-user"
}
}
],
"stage": 0
}
],
"timeout": "10.000s",
"weighted_clusters": {
"clusters": [
{
"name": "cluster_127_0_0_1_8877",
"weight": 100
}
]
}
}
},
{
"match": {
"case_sensitive": true,
"prefix": "/httpbin-limited/"
},
"route": {
"host_rewrite": "httpbin.org",
"prefix_rewrite": "/",
"priority": null,
"rate_limits": [
{
"actions": [
{
"request_headers": {
"descriptor_key": "x_limited_user",
"header_name": "x-limited-user"
}
}
],
"stage": 0
}
],
"timeout": "3.000s",
"weighted_clusters": {
"clusters": [
{
"name": "cluster_httpbin_org_80",
"weight": 100
}
]
}
}
},
{
"match": {
"case_sensitive": true,
"prefix": "/ambassador/v0/"
},
"route": {
"prefix_rewrite": "/ambassador/v0/",
"priority": null,
"rate_limits": [
{
"actions": [
{
"request_headers": {
"descriptor_key": "x_limited_user",
"header_name": "x-limited-user"
}
}
],
"stage": 0
}
],
"timeout": "10.000s",
"weighted_clusters": {
"clusters": [
{
"name": "cluster_127_0_0_1_8877",
"weight": 100
}
]
}
}
},
{
"match": {
"case_sensitive": true,
"prefix": "/qotm/open/"
},
"route": {
"prefix_rewrite": "/",
"priority": null,
"rate_limits": [
{
"actions": [
{
"request_headers": {
"descriptor_key": "x_limited_user",
"header_name": "x-limited-user"
}
}
],
"stage": 0
}
],
"timeout": "3.000s",
"weighted_clusters": {
"clusters": [
{
"name": "cluster_qotm",
"weight": 100
}
]
}
}
},
{
"match": {
"case_sensitive": true,
"prefix": "/httpbin/"
},
"route": {
"host_rewrite": "httpbin.org",
"prefix_rewrite": "/",
"priority": null,
"rate_limits": [
{
"actions": [
{
"request_headers": {
"descriptor_key": "x_limited_user",
"header_name": "x-limited-user"
}
},
{
"remote_address": {}
}
],
"stage": 0
}
],
"timeout": "3.000s",
"weighted_clusters": {
"clusters": [
{
"name": "cluster_httpbin_org_80",
"weight": 100
}
]
}
}
},
{
"match": {
"case_sensitive": true,
"prefix": "/callback"
},
"route": {
"prefix_rewrite": "/",
"priority": null,
"rate_limits": [
{
"actions": [
{
"request_headers": {
"descriptor_key": "x_limited_user",
"header_name": "x-limited-user"
}
}
],
"stage": 0
}
],
"timeout": "3.000s",
"weighted_clusters": {
"clusters": [
{
"name": "cluster_NoTaReAlSeRvIcE",
"weight": 100
}
]
}
}
}
]
}
]
},
"server_name": "envoy",
"stat_prefix": "ingress_http",
"use_remote_address": true,
"xff_num_trusted_hops": 0
},
"name": "envoy.http_connection_manager"
}
],
"use_proxy_proto": true
}
],
"name": "ambassador-listener-8080"
}
]
}
}After setting {
"@type": "/envoy.config.bootstrap.v2.Bootstrap",
"static_resources": {
"clusters": [
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"http2_protocol_options": {},
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_127_0_0_1_8501",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 8501,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_127_0_0_1_8501",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_127_0_0_1_8877",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 8877,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_127_0_0_1_8877",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_NoTaReAlSeRvIcE",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "notarealservice",
"port_value": 80,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_NoTaReAlSeRvIcE",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"http2_protocol_options": {},
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_extauth_127_0_0_1_8500",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "127.0.0.1",
"port_value": 8500,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_extauth_127_0_0_1_8500",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_httpbin_org_80",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "httpbin.org",
"port_value": 80,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_httpbin_org_80",
"type": "STRICT_DNS"
},
{
"connect_timeout": "3.000s",
"dns_lookup_family": "V4_ONLY",
"lb_policy": "ROUND_ROBIN",
"load_assignment": {
"cluster_name": "cluster_qotm",
"endpoints": [
{
"lb_endpoints": [
{
"endpoint": {
"address": {
"socket_address": {
"address": "qotm",
"port_value": 80,
"protocol": "TCP"
}
}
}
}
]
}
]
},
"name": "cluster_qotm",
"type": "STRICT_DNS"
}
],
"listeners": [
{
"address": {
"socket_address": {
"address": "0.0.0.0",
"port_value": "8443",
"protocol": "TCP"
}
},
"filter_chains": [
{
"filters": [
{
"config": {
"access_log": null,
"http_filters": [
{
"name": "envoy.router"
}
],
"http_protocol_options": {
"accept_http_10": false
},
"normalize_path": true,
"route_config": {
"virtual_hosts": [
{
"domains": [
"*"
],
"name": "backend",
"require_tls": "EXTERNAL_ONLY",
"routes": [
{
"match": {
"prefix": "/"
},
"redirect": {
"https_redirect": true,
"path_redirect": "/"
}
}
]
}
]
},
"server_name": "envoy",
"stat_prefix": "ingress_http",
"use_remote_address": true,
"xff_num_trusted_hops": 0
},
"name": "envoy.http_connection_manager"
}
],
"use_proxy_proto": true
}
],
"name": "redirect_listener"
}
]
}
} |
|
Also seeing the same issue. Using a lower version of ambassador in the meantime. |
|
The same issue in the 0.70.1 version |
|
@containscafeine I have discovered where the issue maybe. If you look at https://github.com/datawire/ambassador/blob/030d897cafa65e592eb3438b391310b6d900986d/ambassador/ambassador/envoy/v2/v2listener.py#L452 you can see you set a default route for a listner is This default route is an infinite redirect loop as the envoy setting The next issue is that if you set require TLS that is the only route that gets added to the listener found in the if statement https://github.com/datawire/ambassador/blob/master/ambassador/ambassador/envoy/v2/v2listener.py#L477 so you will never get any routes to the services you require or have described in the anotations only the default route with the redirect loop. I would of thought that you would still build the routes in the else statement and remove the I wasn't sure if there was another reason why this config is setup this way as it is a redirect listener and didn't know the impact of changing these settings would have so hope this comment makes sense and is okay. I have added two envoy configs that were generated using the initial configuration of this issue one with x_forwarded_proto set to false x_forwarded_proto_redirect.false.envoy.json.txt and then one when x_forwarded_proto was set to true |
KyleMartin901
added a commit
to KyleMartin901/emissary
that referenced
this issue
Jun 12, 2019
This commit removes a bug where when you set the ambassador module config x_forwarded_proto_redirect to true it would generate a configuration that caused an infinite redirect loop. The main cause of this issue was that the if you set the x_forwarded_proto_redirect to true it would only create an envoy listner with the default route rather than still appending the desired custom routes specified in the Kubernetes services annotations. The default route now doesn't contain a redirect that does a [https_redirect](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route.proto#route-redirectaction) due to it causing an infinite loop of redirects as it would substitue the scheme portion of the URL for https and redirect to that URL even if that scheme was already https. Removed the check for the `listener.redirect_listener` before building the routes so the routes would always be built and defult route would be overwriten if routes have been defined wether or not `listener.redirect_listener` had been set or not. Added a condition to set the `self.require_tls = None` only if `listener.redirect_listener` had not be set. This change now means that Ambassador will add the `"require_tls": "EXTERNAL_ONLY"` configuration to the envoy virtal host if the Ambassador module `x_forwarded_proto_redirect` is set to true forcing all external requests to the gateway to use https. Corrects issue: emissary-ingress#1571
2 tasks
concaf
pushed a commit
that referenced
this issue
Jun 13, 2019
This commit removes a bug where when you set the ambassador module config x_forwarded_proto_redirect to true it would generate a configuration that caused an infinite redirect loop. The main cause of this issue was that the if you set the x_forwarded_proto_redirect to true it would only create an envoy listner with the default route rather than still appending the desired custom routes specified in the Kubernetes services annotations. The default route now doesn't contain a redirect that does a [https_redirect](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route.proto#route-redirectaction) due to it causing an infinite loop of redirects as it would substitue the scheme portion of the URL for https and redirect to that URL even if that scheme was already https. Removed the check for the `listener.redirect_listener` before building the routes so the routes would always be built and defult route would be overwriten if routes have been defined wether or not `listener.redirect_listener` had been set or not. Added a condition to set the `self.require_tls = None` only if `listener.redirect_listener` had not be set. This change now means that Ambassador will add the `"require_tls": "EXTERNAL_ONLY"` configuration to the envoy virtal host if the Ambassador module `x_forwarded_proto_redirect` is set to true forcing all external requests to the gateway to use https. Corrects issue: #1571
concaf
pushed a commit
that referenced
this issue
Jun 13, 2019
This commit removes a bug where when you set the ambassador module config x_forwarded_proto_redirect to true it would generate a configuration that caused an infinite redirect loop. The main cause of this issue was that the if you set the x_forwarded_proto_redirect to true it would only create an envoy listner with the default route rather than still appending the desired custom routes specified in the Kubernetes services annotations. The default route now doesn't contain a redirect that does a [https_redirect](https://www.envoyproxy.io/docs/envoy/latest/api-v2/api/v2/route/route.proto#route-redirectaction) due to it causing an infinite loop of redirects as it would substitue the scheme portion of the URL for https and redirect to that URL even if that scheme was already https. Removed the check for the `listener.redirect_listener` before building the routes so the routes would always be built and defult route would be overwriten if routes have been defined wether or not `listener.redirect_listener` had been set or not. Added a condition to set the `self.require_tls = None` only if `listener.redirect_listener` had not be set. This change now means that Ambassador will add the `"require_tls": "EXTERNAL_ONLY"` configuration to the envoy virtal host if the Ambassador module `x_forwarded_proto_redirect` is set to true forcing all external requests to the gateway to use https. Corrects issue: #1571
|
Fixed in 0.72 |
LukeShu
pushed a commit
that referenced
this issue
Sep 29, 2020
This commit replaces the current JSON-based communication between the `edgectl` client and daemon processes with a gRPC based API. The API description and the files generated from it lives in the package `internal/pkg/edgectl/rpc`. The commit also separates the files belonging to the client and daemon into two corresponding packages. The client package contains all code pertaining to CLI and presentation details and daemon no longer produces anything directly intended for the user (aside from logging to the logfile). Closes #1571
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Describe the bug
When using AWS L7 ELB to terminate TLS it gets stuck in a 301 redirect loop. When we set x_forwarded_proto_redirect: true we end up getting stuck in a redirect loop, if we set x_forwarded_proto_redirect: false both http and https work correctly.
To Reproduce
Config for gateway and example app presuming you already have the RBAC and Service accounts setup for ambassador
Expected behavior
When you visit http://{{ nginx-hello.example.com }} you will be redirected to https://{{ nginx-hello.example.com }}
Versions (please complete the following information):
Additional context
Ambassador debug output
chrome-output.txt
The text was updated successfully, but these errors were encountered: