kong icon indicating copy to clipboard operation
kong copied to clipboard
Published 1 month ago verified publisher icon Kong

kong redirect bug when use proxy proto by quic

Open oldthreefeng opened this issue 7 months ago • 1 comments

Is there an existing issue for this?

  • [x] I have searched the existing issues

Kong version ($ kong version)

latest

Current Behavior

Observed Behavior: When Kong is deployed behind an edge CDN handling QUIC protocol, enabling HTTPS redirection via Ingress annotations results in unintended protocol-based redirection due to protocol header misinterpretation.

Technical Analysis:

CDN Layer Behavior:

Edge CDN terminates QUIC connections from clients Forwards requests to Kong with injected header: X-Forwarded-Proto: "quic" Actual transport protocol becomes HTTPS between CDN and Kong Kong Configuration:

annotations:
  konghq.com/https-redirect-status-code: "301"  # Enforce HTTPS redirection
  konghq.com/protocols: "https"                 # Restrict to HTTPS only

Protocol Conflict Mechanism: Kong's protocol detection prioritizes X-Forwarded-Proto header Native Kong (3.x) doesn't recognize "quic" as HTTPS-equivalent secure protocol variant Security subsystem triggers 301 redirect to HTTPS endpoint

Root Cause: Kong's protocol validation module doesn't classify QUIC (HTTP/3's transport layer) as HTTPS-equivalent. Non-standard protocol values in X-Forwarded-Proto activate security redirection mechanisms despite QUIC's inherent encryption.

Expected Behavior

kong proxy well

Steps To Reproduce

related coding: https://github.com/Kong/kong/blob/36db98046b05cfe48b14d3ae00a3c5601bd105a8/kong/runloop/handler.lua#L1289-L1308

Anything else?

nothing

oldthreefeng avatar May 30 '25 03:05 oldthreefeng

Hi @oldthreefeng , we don't support quic or http3 here. If you're interested in giving it a try, feel free to open a PR to explore this feature.

Water-Melon avatar Jun 09 '25 06:06 Water-Melon

This issue is marked as stale because it has been open for 14 days with no activity.

github-actions[bot] avatar Jun 24 '25 02:06 github-actions[bot]

Dear contributor,

We are automatically closing this issue because it has not seen any activity for three weeks. We're sorry that your issue could not be resolved. If any new information comes up that could help resolving it, please feel free to reopen it.

Your contribution is greatly appreciated!

Please have a look our pledge to the community for more information.

Sincerely, Your Kong Gateway team

github-actions[bot] avatar Jul 01 '25 02:07 github-actions[bot]