-
Notifications
You must be signed in to change notification settings - Fork 368
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirects add port to Location header #3589
Comments
* dont use `port: 443` in the redirect example * dont specify a backendRefs when the filter is a redirect filter Fixes: envoyproxy#3589 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
* dont use `port: 443` in the redirect example * dont specify a backendRefs when the filter is a redirect filter Fixes: envoyproxy#3589 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
* dont use `port: 443` in the redirect example * dont specify a backendRefs when the filter is a redirect filter Fixes: envoyproxy#3589 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
* dont use `port: 443` in the redirect example * dont specify a backendRefs when the filter is a redirect filter Fixes: envoyproxy#3589 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
digging into this, looks like the change was made #1601 to make upstream conformance tests pass kubernetes-sigs/gateway-api#1880 |
Thanks @benediktwerner for spotting this! The implementation of upstream GW-API redirPort were missing in EG:
Yes @arkodg, can be fixed in the xds translator: gateway/internal/xds/translator/route.go Line 348 in 9e2cfb4
By adding extra checks, update redirPort only if it is not 80 nor 443. I've done the test, the well-known port number is not shown in ‘Location’ header anymore. |
* dont use `port: 443` in the redirect example * dont specify a backendRefs when the filter is a redirect filter Fixes: envoyproxy#3589 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
docs: update redirect tasks * dont use `port: 443` in the redirect example * dont specify a backendRefs when the filter is a redirect filter Fixes: #3589 Signed-off-by: Arko Dasgupta <arko@tetrate.io>
docs: update redirect tasks * dont use `port: 443` in the redirect example * dont specify a backendRefs when the filter is a redirect filter Fixes: envoyproxy#3589 Signed-off-by: Arko Dasgupta <arko@tetrate.io> Signed-off-by: bjlhlin <lihonglin1@jd.com>
Description
When setting up any redirect, e.g. following the initial example at https://gateway.envoyproxy.io/v1.0.1/tasks/traffic/http-redirect/ (though removing the
backendRefs
which aren't actually allowed together with a redirect), Envoy Gateway will add an explicit port (in this case 443) to the location header:(The example curl output in the docs actually doesn't show the port but that's not the behavior I observe.)
This is counter to the recommendation given by the Gateway API which on the
ports
field of the redirect filter (https://gateway-api.sigs.k8s.io/reference/spec/#gateway.networking.k8s.io/v1.HTTPRequestRedirectFilter) states:This happens even if the
port
field isn't actually set in the redirect and even if it's only a path redirect, with no change to the hostname, scheme, or port.Using
egctl
, it looks like the following Envoy configuration is generated for the route for the example from the docs:Presumably, the
portRedirect
shouldn't be set in this case.This probably doesn't matter in most cases since browsers apparently silently remove the port when following the redirect but some http clients don't which for us then lead to an issue in combination with OIDC because the URL with the port wasn't registered as a valid callback URL.
Environment
The text was updated successfully, but these errors were encountered: