Edit this page
Report an issueYou are browsing documentation for an older version. See the latest documentation here.
Configuring HTTPS redirect
Overview
Learn to configure the Kong Ingress Controller to redirect HTTP requests to HTTPS so that all communication from the external world to your APIs and microservices is encrypted.
Prerequisites: Install Kong Ingress Controller with Gateway API support in your Kubernetes cluster and connect to Kong.
Prerequisites
Install the Gateway APIs
-
Install the Gateway API CRDs before installing Kong Ingress Controller.
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml -
Create a
GatewayandGatewayClassinstance to use.echo " --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: GatewayClass metadata: name: kong annotations: konghq.com/gatewayclass-unmanaged: 'true' spec: controllerName: konghq.com/kic-gateway-controller --- apiVersion: gateway.networking.k8s.io/v1beta1 kind: Gateway metadata: name: kong spec: gatewayClassName: kong listeners: - name: proxy port: 80 protocol: HTTP allowedRoutes: namespaces: from: All " | kubectl apply -f -The results should look like this:
gatewayclass.gateway.networking.k8s.io/kong created gateway.gateway.networking.k8s.io/kong created
Install Kong
You can install Kong in your Kubernetes cluster using Helm.
-
Add the Kong Helm charts:
helm repo add kong https://charts.konghq.com helm repo update -
Install Kong Ingress Controller and Kong Gateway with Helm:
helm install kong kong/ingress -n kong --create-namespace
Test connectivity to Kong
Kubernetes exposes the proxy through a Kubernetes service. Run the following commands to store the load balancer IP address in a variable named PROXY_IP:
-
Populate
$PROXY_IPfor future commands:export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}') echo $PROXY_IP -
Ensure that you can call the proxy IP:
curl -i $PROXY_IPThe results should look like this:
HTTP/1.1 404 Not Found Content-Type: application/json; charset=utf-8 Connection: keep-alive Content-Length: 48 X-Kong-Response-Latency: 0 Server: kong/3.0.0 {"message":"no Route matched with those values"}
Deploy an echo service
To proxy requests, you need an upstream application to send a request to. Deploying this echo server provides a simple application that returns information about the Pod it’s running in:
kubectl apply -f https://docs.konghq.com/assets/kubernetes-ingress-controller/examples/echo-service.yaml
The results should look like this:
service/echo created
deployment.apps/echo created
Create a configuration group
Ingress and Gateway APIs controllers need a configuration that indicates which set of routing configuration they should recognize. This allows multiple controllers to coexist in the same cluster. Before creating individual routes, you need to create a class configuration to associate routes with:
Kong Ingress Controller recognizes the kong IngressClass and
konghq.com/kic-gateway-controller GatewayClass
by default. Setting the CONTROLLER_INGRESS_CLASS or
CONTROLLER_GATEWAY_API_CONTROLLER_NAME environment variable to
another value overrides these defaults.
Add routing configuration
Create routing configuration to proxy /echo requests to the echo server:
The results should look like this:
Test the routing rule:
curl -i -H 'Host:kong.example' $PROXY_IP/echo
The results should look like this:
HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 140
Connection: keep-alive
Date: Fri, 21 Apr 2023 12:24:55 GMT
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.2.2
Welcome, you are connected to node docker-desktop.
Running on Pod echo-7f87468b8c-tzzv6.
In namespace default.
With IP address 10.1.0.237.
...
If everything is deployed correctly, you should see the above response. This verifies that Kong Gateway can correctly route traffic to an application running inside Kubernetes.
Add TLS configuration
The routing configuration can include a certificate to present when clients connect over HTTPS. This is not required, as Kong Gateway will serve a default certificate if it cannot find another, but including TLS configuration along with routing configuration is typical.
-
Create a test certificate for the
kong.examplehostname.The results should look like this:
Older OpenSSL versions, including the version provided with OS X Monterey, require using the alternative version of this command.
- Create a Secret containing the certificate.
kubectl create secret tls kong.example --cert=./server.crt --key=./server.keyThe results should look like this:
secret/kong.example created -
Update your routing configuration to use this certificate.
The results should look like this:
-
Send requests to verify if the configured certificate is served.
curl -ksv https://kong.example/echo --resolve kong.example:443:$PROXY_IP 2>&1 | grep -A1 "certificate:"The results should look like this:
* Server certificate: * subject: CN=kong.example
Configure an HTTPS redirect
Kong handles HTTPS redirects by automatically issuing redirects to requests whose characteristics match an HTTPS-only route except for the protocol. For example, with a Kong route such as this:
{ "protocols": ["https"], "hosts": ["kong.example"],
"https_redirect_status_code": 301, "paths": ["/echo/"], "name": "example" }
A request for http://kong.example/echo/green receives a 301 response with
a Location: https://kong.example/echo/green header. Kubernetes resource
annotations instruct the controller to create a route with protocols=[https]
and https_redirect_status_code set to the code of your choice (the default if
unset is 426).
-
Configure the protocols that are allowed in the
konghq.com/protocolsannotation.The results should look like this:
-
Configure the status code used to redirect in the
konghq.com/https-redirect-status-code` annotation.The results should look like this:
Note: The GatewayAPI does not use a HTTPRequestRedirectFilter to configure the redirect. Using the filter to redirect HTTP to HTTPS requires a separate HTTPRoute to handle redirected HTTPS traffic, which does not align well with Kong’s single route redirect model.
Work to support the standard filter-based configuration is ongoing. Until then, the annotations allow you to configure HTTPS-only HTTPRoutes.
Test the configuration
With the redirect configuration in place, HTTP requests now receive a redirect rather than being proxied upstream:
- Send a HTTP request.
curl -ksvo /dev/null -H 'Host: kong.example' http://$PROXY_IP/echo 2>&1 | grep -i httpThe results should look like this:
> GET /echo HTTP/1.1 < HTTP/1.1 301 Moved Permanently < Location: https://kong.example/echo -
Send a curl request to follow redirects using the
-Lflag navigates to the HTTPS URL and receive a proxied response from upstream.curl -Lksv -H 'Host: kong.example' http://$PROXY_IP/echo 2>&1The results should look like this (some output removed for brevity):
> GET /echo HTTP/1.1 > Host: kong.example > < HTTP/1.1 301 Moved Permanently < Location: https://kong.example/echo < Server: kong/3.4.2 * Issue another request to this URL: 'https://kong.example/echo' * Server certificate: * subject: CN=kong.example > GET /echo HTTP/2 > Host: kong.example > < HTTP/2 200 < via: kong/3.4.2 < Welcome, you are connected to node kind-control-plane. Running on Pod echo-74d47cc5d9-pq2mw. In namespace default. With IP address 10.244.0.7.
Kong correctly serves the request only on HTTPS protocol and redirects the user
if the HTTP protocol is used. The -k flag in cURL skips certificate
validation as the certificate served by Kong is a self-signed one. If you are
serving this traffic through a domain that you control and have configured TLS
properties for it, then the flag won’t be necessary.
If you have a domain that you control but don’t have TLS/SSL certificates for it, see Using cert-manager with Kong guide which can get TLS certificates setup for you automatically. And it’s free, thanks to Let’s Encrypt!
