Cannot redirect https with prefix path.

[vmpowercli]

Kubernetes version :

Client Version: version.Info{Major:"1", Minor:"22", GitVersion:"v1.22.4", GitCommit:"b695d79d4f967c403a96986f1750a35eb75e75f1", GitTreeState:"clean", BuildDate:"2021-11-17T15:48:33Z", GoVersion:"go1.16.10", Compiler:"gc", Platform:"windows/amd64"}
Server Version: version.Info{Major:"1", Minor:"22+", GitVersion:"v1.22.6-eks-14c7a48", GitCommit:"35f06c94ad99b78216a3d8e55e04734a85da3f7b", GitTreeState:"clean", BuildDate:"2022-04-01T03:18:05Z", GoVersion:"go1.16.12", Compiler:"gc", Platform:"linux/amd64"}

Environment:

AWS:
Install tools:
AWS EKS Cluster: 1.22

Nginx-Ingress Version
k8s.gcr.io/ingress-nginx/controller:v1.1.3@sha256:31f47c1e202b39fadecf822a9b76370bd4baed199a005b3e7d4d1455f4fd3fe2

Problem:

I am running Nginx ingress inside one of our EKS cluster and earlier had issue to http-->https redirect as we are terminating SSL at NLB. I was able to get it fixed using the method listed in this ticket https://github.com/kubernetes/ingress-nginx/issues/2724 ( Thanks to @Ariseaz )

However, along with https redirect we want to append path and redirect which is not working. Here are some methods I have tried so far

The container webpage serving paths /coffee and /tea

http://cafe.com ------> https://cafe.com ## This works because of the http --> https redirection
http://cafe.com/tea -----> https://cafe.com/tea ## This works
http://cafe.com/coffee -----> https://cafe.com/coffee ## This works

Now when I want to redirect https://cafe.com to https://cafe/coffee it does not work.

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-example
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |
      if ($host = "https://cafe.com") {
          return 301 https://$host$request_uri/coffee;
        }     
    #nginx.ingress.kubernetes.io/rewrite-target: /
    #nginx.ingress.kubernetes.io/configuration-snippet: |
    #    rewrite ^(/coffee)$ $1/ permanent;    
        
spec:
  ingressClassName: internal-nginx
  rules:
  - host: cafe.com
    http:
      paths:
      - path: /tea
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: Prefix
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

Output:

curl -I http://cafe.com
HTTP/1.1 308 Permanent Redirect
Date: Mon, 16 May 2022 18:20:11 GMT
Content-Type: text/html
Content-Length: 164
Connection: keep-alive
Location: https://cafe.com/

curl -I https://cafe.com
HTTP/1.1 404 Not Found
Date: Mon, 16 May 2022 18:20:20 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive

I was  able to get this work using ALB by using the annotations and I trying to simulate the same thing with nginx ingress

alb.ingress.kubernetes.io/ssl-redirect: '443'' ### This is to redirect http ----> https 

alb.ingress.kubernetes.io/actions.svc-cafe: >
      {"Type":"redirect","RedirectConfig":{"Path":"/coffee","Protocol":"HTTPS", "Port": "443","StatusCode":"HTTP_301"}} ## This is to append /coffee to hostname and redirect ( https://cafe.com ---> htttps://cafe.com/coffee)

Any help is much appreciated

Thank you

[k8s-ci-robot]

@vmpowercli: This issue is currently awaiting triage.

If Ingress contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[longwuyuan]

/remove-kind bug
Post the live data like ;

• kubectl -n ingress-nginx get all all
• kubectl get ing -A
• kubectl get ing <ingressname> -o yaml
• entire curl -v command and its response
• The complete logs of the ingress-controller pod

Please format the data you post for markdown.
After you have posted all data, please feel free to re-open the issue.

/close

[k8s-ci-robot]

@longwuyuan: Closing this issue.

In response to this:

/remove-kind bug
Post the live data like ;

• kubectl -n ingress-nginx get all all
• kubectl get ing -A
• kubectl get ing <ingressname> -o yaml
• entire curl -v command and its response
• The complete logs of the ingress-controller pod

Please format the data you post for markdown.
After you have posted all data, please feel free to re-open the issue.

/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[vmpowercli]

Apologies for the format.

$ kubectl get all -n internal-nginx

NAME                                                           READY   STATUS    RESTARTS   AGE
pod/internal-nginx-ingress-nginx-controller-5b478d5d7f-mmjtr   1/1     Running   0          47h

NAME                                                        TYPE           CLUSTER-IP      EXTERNAL-IP                                                                     PORT(S)
         AGE
service/internal-nginx-ingress-nginx-controller-admission   ClusterIP      10.100.23.64    <none>                                                                          443/TCP
         38d
service/internal-nginx-ingress-nginx-controller-internal    LoadBalancer   10.100.143.30   xxxxxxxxxxxxxxx.elb.us-east-1.amazonaws.com   80:31551/TCP,443:30828/TCP   38d

NAME                                                      READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/internal-nginx-ingress-nginx-controller   1/1     1            1           38d

NAME                                                                 DESIRED   CURRENT   READY   AGE
replicaset.apps/internal-nginx-ingress-nginx-controller-5b478d5d7f   1         1         1       38d
replicaset.apps/internal-nginx-ingress-nginx-controller-85ff9f6466   0         0         0       38d

Nginx Configmap

$ kubectl describe  configmap internal-nginx-ingress-nginx-controller -n internal-nginx
Name:         internal-nginx-ingress-nginx-controller
Namespace:    internal-nginx
Labels:       app.kubernetes.io/component=controller
              app.kubernetes.io/instance=internal-nginx
              app.kubernetes.io/managed-by=Helm
              app.kubernetes.io/name=ingress-nginx
              app.kubernetes.io/part-of=ingress-nginx
              app.kubernetes.io/version=1.1.3
              helm.sh/chart=ingress-nginx-4.0.19
Annotations:  meta.helm.sh/release-name: internal-nginx
              meta.helm.sh/release-namespace: internal-nginx

Data
====
server-snippet:
----
listen 8000;
if ( $server_port = 80 ) { return 308 https://$host$request_uri; }

ssl-redirect:
----
false

BinaryData
====

Events:  <none>

Ingress file

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cafe-example
  annotations:
    nginx.ingress.kubernetes.io/server-snippet: |
      if ($host = "https://cafe.example.net") {
          return 301 https://$host$request_uri/coffee;
        } 
spec:
  ingressClassName: internal-nginx
  rules:
  - host: cafe.example.net
    http:
      paths:
      - path: /tea
        pathType: Prefix
        backend:
          service:
            name: tea-svc
            port:
              number: 80
      - path: /coffee
        pathType: Prefix
        backend:
          service:
            name: coffee-svc
            port:
              number: 80

[vmpowercli]

$ curl -vI https://cafe.example.net
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
  0     0    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0*   Trying 10.158.22.32:443...
* Connected to cafe.example.net (10.158.22.32) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: C:/Program Files/Git/mingw64/ssl/certs/ca-bundle.crt
  CApath: none
} [5 bytes data]
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
} [512 bytes data]
* TLSv1.3 (IN), TLS handshake, Server hello (2):
{ [91 bytes data]
* TLSv1.2 (IN), TLS handshake, Certificate (11):
{ [4938 bytes data]
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
{ [333 bytes data]
* TLSv1.2 (IN), TLS handshake, Server finished (14):
{ [4 bytes data]
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
} [70 bytes data]
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
} [1 bytes data]
* TLSv1.2 (OUT), TLS handshake, Finished (20):
} [16 bytes data]
* TLSv1.2 (IN), TLS handshake, Finished (20):
{ [16 bytes data]
* SSL connection using TLSv1.2 / ECDHE-RSA-AES128-GCM-SHA256
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: CN=*.example.net
*  start date: Mar 18 00:00:00 2022 GMT
*  expire date: Apr 16 23:59:59 2023 GMT
*  subjectAltName: host "cafe.example.net" matched cert's "*.example.net"
*  issuer: C=US; O=Amazon; OU=Server CA 1B; CN=Amazon
*  SSL certificate verify ok.
} [5 bytes data]
> HEAD / HTTP/1.1
> Host: cafe.example.net
> User-Agent: curl/7.70.0
> Accept: */*
>
{ [5 bytes data]
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Date: Tue, 17 May 2022 02:12:57 GMT
< Content-Type: text/html
< Content-Length: 146
< Connection: keep-alive
<
  0   146    0     0    0     0      0      0 --:--:-- --:--:-- --:--:--     0HTTP/1.1 404 Not Found
Date: Tue, 17 May 2022 02:12:57 GMT
Content-Type: text/html
Content-Length: 146
Connection: keep-alive


* Connection #0 to host cafe.example.net left intact

[vmpowercli]

Nginx Controller Logs

192.168.14.161 - - [16/May/2022:18:38:56 +0000] "HEAD /coffee HTTP/1.1" 200 0 "-" "curl/7.65.0" 89 0.001 [default-coffee-svc-80] [] 192.168.15.103:8080 0 0.000 200 66b00b2e9a8d259053791a751db24099
192.168.12.68 - - [16/May/2022:18:38:59 +0000] "HEAD /tea HTTP/1.1" 200 0 "-" "curl/7.65.0" 86 0.002 [default-tea-svc-80] [] 192.168.12.221:8080 0 0.004 200 f0d3e487d32b46a789f4c38064d07a59
192.168.17.226 - - [16/May/2022:18:39:04 +0000] "HEAD /tea HTTP/1.1" 308 0 "-" "curl/7.65.0" 86 0.000 [-] [] - - - - a32e3fc39dc7ed0a82e29caadaeb36e2
192.168.15.101 - - [17/May/2022:02:11:16 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/7.65.0" 83 0.000 [-] [] - - - - 1f14385611dcf26f94c90dbfb4ed4333
192.168.15.101 - - [17/May/2022:02:11:50 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/7.70.0" 83 0.000 [-] [] - - - - 8d7a5c2f0334a761fde8595ca9e7b8d2
192.168.15.101 - - [17/May/2022:02:12:57 +0000] "HEAD / HTTP/1.1" 404 0 "-" "curl/7.70.0" 83 0.000 [upstream-default-backend] [] 127.0.0.1:8181 0 0.004 404 8cdad2a46fadb9f3fb6b9d85d74e1b10

[longwuyuan]

You did not post ouputs of commands suggested so harder to know state. You can post info as requested. Redact is ok but snipping leaves people guessing. You can reopen issue after posting data as asked. But GUESS is your http request does not match configured rules. Thanks, ; Long

…

On Tue, 17 May, 2022, 7:46 AM vmpowercli, ***@***.***> wrote: Nginx Controller Logs 192.168.14.161 - - [16/May/2022:18:38:56 +0000] "HEAD /coffee HTTP/1.1" 200 0 "-" "curl/7.65.0" 89 0.001 [default-coffee-svc-80] [] 192.168.15.103:8080 0 0.000 200 66b00b2e9a8d259053791a751db24099 192.168.12.68 - - [16/May/2022:18:38:59 +0000] "HEAD /tea HTTP/1.1" 200 0 "-" "curl/7.65.0" 86 0.002 [default-tea-svc-80] [] 192.168.12.221:8080 0 0.004 200 f0d3e487d32b46a789f4c38064d07a59 192.168.17.226 - - [16/May/2022:18:39:04 +0000] "HEAD /tea HTTP/1.1" 308 0 "-" "curl/7.65.0" 86 0.000 [-] [] - - - - a32e3fc39dc7ed0a82e29caadaeb36e2 192.168.15.101 - - [17/May/2022:02:11:16 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/7.65.0" 83 0.000 [-] [] - - - - 1f14385611dcf26f94c90dbfb4ed4333 192.168.15.101 - - [17/May/2022:02:11:50 +0000] "HEAD / HTTP/1.1" 308 0 "-" "curl/7.70.0" 83 0.000 [-] [] - - - - 8d7a5c2f0334a761fde8595ca9e7b8d2 192.168.15.101 - - [17/May/2022:02:12:57 +0000] "HEAD / HTTP/1.1" 404 0 "-" "curl/7.70.0" 83 0.000 [upstream-default-backend] [] 127.0.0.1:8181 0 0.004 404 8cdad2a46fadb9f3fb6b9d85d74e1b10 — Reply to this email directly, view it on GitHub <#8595 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGZVWROBUKSSBVM3DI7G2DVKL6RFANCNFSM5WCL57CA> . You are receiving this because you were mentioned.Message ID: ***@***.***>