aws-app-mesh-roadmap icon indicating copy to clipboard operation
aws-app-mesh-roadmap copied to clipboard

Published 20 hours ago verified publisher icon aws

Feature Request: Support HTTP -> HTTPS redirect automatically

Open rajal-amzn opened this issue 5 years ago • 5 comments

Tell us about your request Currently AppMesh supports terminating TLS at the Envoy. But customers would want to redirect all insecure traffic to the TLS version of their site. This could be done with a separate listener and static routing configuration as mentioned here

Which integration(s) is this request for? Applicable for all integrations: Fargate, ECS, EKS, EC2, Kubernetes.

rajal-amzn avatar Jun 03 '20 20:06 rajal-amzn

Similarly, customer-reported case of envoy not handling redirects, so http->https upgrades aren't handled for mesh-originated traffic: https://github.com/aws/aws-app-mesh-roadmap/issues/317

bigdefect avatar Feb 24 '21 01:02 bigdefect

This is currently a blocker for adoption of App Mesh for our team because given the following architecture:

  • Virtual Gateway using an NLB (listening on 80 and 443) and Envoy containers running in Fargate w/ Public DNS record corresponding to the name of the service (service.example.com).
  • Single gateway route using exact hostname matching to forward traffic to a specific virtual service, which uses the virtual router provider.
  • Virtual router configuration that routes traffic to relevant backend virtual nodes.

There is no way to have the service service.example.com publicly accessed over port 80 (then redirected to the HTTPS endpoint) without:

  1. Introducing an intermediary service between the virtual gateway and the virtual service to handle the redirect (or having the service updated with logic to handle the redirect).
  2. Switching from an NLB to an ALB for the virtual gateway so that the LB can handle the redirect.

To the best of my knowledge (I do not have a ton of experience with App Mesh, so it's entirely possible I'm just missing something).

I think having the Envoy containers used for the Virtual Gateway configurable for enabling HTTP --> HTTPS redirects would allow customers that are currently hosting services using an ALB --> ECS service directly switch over to App Mesh without any loss of functionality or reconfiguration of application code.

yhakbar avatar Jun 06 '22 18:06 yhakbar

I believe we have just encountered this issue and may actually force us to give up App Mesh

nolehusker avatar Jan 06 '23 16:01 nolehusker

Assuming "Awaiting Customer Feedback" means you're looking for information on how we'd expect this to work:

Ideally this should be a configuration option on Virtual Gateway listeners so that Envoy is configured to use https_redirect: true.

In a standard Envoy config, that config block would look something like this:

routes:
  - match:
    prefix: "/"
  redirect:
    https_redirect: true

Would something like the above work inside App Mesh?

benmurden avatar Mar 08 '23 06:03 benmurden

I agree with the other comments regarding the http => https converts. For our specific use case we believe a service mesh should be able to handle was a rewrite of header & url parameter payload data to support a 302 redirect issued from an http backend service and referencing an external (of eks) https service.

As a work around we've had to modify application code to specifically watch and modify these requests as they come in. This is not a software pattern that we're interested in continuing. Unfortunately this is a current roadblock and we're looking at alternative solutions that are not AWS AppFlow.

tmoheng avatar Mar 09 '23 17:03 tmoheng