jcmoraisjr
Redirect app-root is happening before redirect https
------------------------------ Description of the problem ------------------------------
If in an ingress the annotations app-root and ssl-redirect (with value true) are both used at the same time the app-root redirection happens first, making an unnecessary intermediary http redirection in case the user request is http.
Some risk manager tools expect the first redirection be to https already, flagging the current behavior as a security risk
---------------------- Expected behavior ----------------------
When we use both annotations the first redirection to app-root should already use https when the user requests http
------------------- Actual behavior -------------------
An intermediary app-root redirection happens using http
------------------------------------ Steps to reproduce the problem ------------------------------------
Add both annotations to an ingress
ingress.kubernetes.io/ssl-redirect: 'true' ingress.kubernetes.io/app-root: '/test'
and than see the redirection order with a curl
curl -IL http://<hostname>
---------------------------- Environment information ----------------------------
Using HAProxy Ingress version: v0.13.11
------------ Remarks ------------
Analyzing the problem I noticed that it is rooted in the fact that while the https redirection happens inside the backend configuration the app-root one happens in the global frontend using a mapper file to find out the redirection path
http-request set-var(req.rootredir) var(req.host),map_str(/etc/haproxy/maps/_front_redir_fromroot__exact.map) http-request redirect location %[var(req.rootredir)] if { path / } { var(req.rootredir) -m found }
Looks like to solve the problem the mapper file should be augmented with the protocol information (for exemple saving the whole url instead of only the path in this case) if an https redirection annotation with value true is used. That way both redirections could happen at once, without an intermediary http one.
