Skip to content
Kong Logo | Kong Docs Logo
  • Docs
    • Explore the API Specs
      View all API Specs View all API Specs View all API Specs arrow image
    • Documentation
      API Specs
      Kong Gateway
      Lightweight, fast, and flexible cloud-native API gateway
      Kong Konnect
      Single platform for SaaS end-to-end connectivity
      Kong AI Gateway
      Multi-LLM AI Gateway for GenAI infrastructure
      Kong Mesh
      Enterprise service mesh based on Kuma and Envoy
      decK
      Helps manage Kong’s configuration in a declarative fashion
      Kong Ingress Controller
      Works inside a Kubernetes cluster and configures Kong to proxy traffic
      Kong Gateway Operator
      Manage your Kong deployments on Kubernetes using YAML Manifests
      Insomnia
      Collaborative API development platform
  • Plugin Hub
    • Explore the Plugin Hub
      View all plugins View all plugins View all plugins arrow image
    • Functionality View all View all arrow image
      View all plugins
      AI's icon
      AI
      Govern, secure, and control AI traffic with multi-LLM AI Gateway plugins
      Authentication's icon
      Authentication
      Protect your services with an authentication layer
      Security's icon
      Security
      Protect your services with additional security layer
      Traffic Control's icon
      Traffic Control
      Manage, throttle and restrict inbound and outbound API traffic
      Serverless's icon
      Serverless
      Invoke serverless functions in combination with other plugins
      Analytics & Monitoring's icon
      Analytics & Monitoring
      Visualize, inspect and monitor APIs and microservices traffic
      Transformations's icon
      Transformations
      Transform request and responses on the fly on Kong
      Logging's icon
      Logging
      Log request and response data using the best transport for your infrastructure
  • Support
  • Community
  • Kong Academy
Get a Demo Start Free Trial
Kong Ingress Controller
3.1.x
  • Home icon
  • Kong Ingress Controller
  • Guides
  • Services
  • HTTPS Redirect
github-edit-pageEdit this page
report-issueReport an issue
  • Kong Gateway
  • Kong Konnect
  • Kong Mesh
  • Kong AI Gateway
  • Plugin Hub
  • decK
  • Kong Ingress Controller
  • Kong Gateway Operator
  • Insomnia
  • Kuma

  • Docs contribution guidelines
  • unreleased
  • 3.4.x (latest) (LTS)
  • 3.3.x
  • 3.2.x
  • 3.1.x
  • 3.0.x
  • 2.12.x (LTS)
  • 2.11.x
  • 2.10.x
  • 2.9.x
  • 2.8.x
  • 2.7.x
  • 2.6.x
  • 2.5.x (LTS)
  • Introduction
    • Overview
    • Kubernetes Gateway API
    • Version Support Policy
    • Changelog
  • How KIC Works
    • Architecture
    • Gateway API
    • Ingress
    • Custom Resources
    • Using Annotations
    • Admission Webhook
  • Get Started
    • Install KIC
    • Services and Routes
    • Rate Limiting
    • Proxy Caching
    • Key Authentication
  • KIC in Production
    • Deployment Topologies
      • Overview
      • Gateway Discovery
      • Database Backed
      • Traditional (sidecar)
    • Installation Methods
      • Helm
      • Kong Gateway Operator
    • Cloud Deployment
      • Azure
      • Amazon
      • Google
    • Enterprise License
    • Observability
      • Prometheus Metrics
      • Configuring Prometheus and Grafana
      • Kubernetes Events
    • Upgrading
      • Kong Gateway
      • Ingress Controller
  • Guides
    • Service Configuration
      • HTTP Service
      • TCP Service
      • UDP Service
      • gRPC Service
      • TLS
      • External Service
      • HTTPS Redirects
      • Multiple Backend Services
      • Configuring Gateway API resources across namespaces
    • Request Manipulation
      • Rewriting Hosts and Paths
      • Rewrite Annotation
      • Customizing load-balancing behavior
    • High Availability
      • KIC High Availability
      • Service Health Checks
      • Last Known Good Config
    • Security
      • Kong Vaults
      • Using Workspaces
      • Preserving Client IP
      • Kubernetes Secrets in Plugins
    • Migrate
      • KongIngress to KongUpstreamPolicy
      • Migrating from Ingress to Gateway
      • Credential Type Labels
    • Customize Deployments
      • Images
    • Custom Ingress Class
      • Internal / External Traffic
  • Plugins
    • Custom Plugins
    • Authentication
    • ACL
    • Rate Limiting
    • mTLS
    • OIDC
  • Reference
    • Troubleshooting
    • Version Compatibility
    • Annotations
    • Configuration Options
    • Feature Gates
    • FAQ
      • Plugin Compatibility
      • Kong Router
      • Custom nginx.conf
    • Custom Resource Definitions
    • Resources Requiring Setting Ingress Class
    • Gateway API migration
    • Required Permissions for Installation
enterprise-switcher-icon Switch to OSS
On this pageOn this page
  • Prerequisites
    • Install the Gateway APIs
    • Install Kong
    • Test connectivity to Kong
  • Deploy an echo service
  • Add routing configuration
  • Add TLS configuration
  • Configure a HTTPS redirect
  • Test the configuration
You are browsing documentation for an older version. See the latest documentation here.

HTTPS Redirect

Learn to configure the Kong Ingress Controller to redirect HTTP requests to HTTPS so that all communication from the external world to your APIs and microservices is encrypted.

Prerequisites: Install Kong Ingress Controller with Gateway API support in your Kubernetes cluster and connect to Kong.

Prerequisites

Install the Gateway APIs

  1. Install the Gateway API CRDs before installing Kong Ingress Controller.

     kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/standard-install.yaml
    
  2. Create a Gateway and GatewayClass instance to use.

    echo "
    ---
    apiVersion: gateway.networking.k8s.io/v1
    kind: GatewayClass
    metadata:
      name: kong
      annotations:
        konghq.com/gatewayclass-unmanaged: 'true'
    
    spec:
      controllerName: konghq.com/kic-gateway-controller
    ---
    apiVersion: gateway.networking.k8s.io/v1
    kind: Gateway
    metadata:
      name: kong
    spec:
      gatewayClassName: kong
      listeners:
      - name: proxy
        port: 80
        protocol: HTTP
        allowedRoutes:
          namespaces:
             from: All
    " | kubectl apply -f -
    

    The results should look like this:

    gatewayclass.gateway.networking.k8s.io/kong created
    gateway.gateway.networking.k8s.io/kong created
    

Install Kong

You can install Kong in your Kubernetes cluster using Helm.

  1. Add the Kong Helm charts:

     helm repo add kong https://charts.konghq.com
     helm repo update
    
  2. Install Kong Ingress Controller and Kong Gateway with Helm:

     helm install kong kong/ingress -n kong --create-namespace 
    

Test connectivity to Kong

Kubernetes exposes the proxy through a Kubernetes service. Run the following commands to store the load balancer IP address in a variable named PROXY_IP:

  1. Populate $PROXY_IP for future commands:

     export PROXY_IP=$(kubectl get svc --namespace kong kong-gateway-proxy -o jsonpath='{.status.loadBalancer.ingress[0].ip}')
     echo $PROXY_IP
    
  2. Ensure that you can call the proxy IP:

     curl -i $PROXY_IP
    

    The results should look like this:

     HTTP/1.1 404 Not Found
     Content-Type: application/json; charset=utf-8
     Connection: keep-alive
     Content-Length: 48
     X-Kong-Response-Latency: 0
     Server: kong/3.0.0
      
     {"message":"no Route matched with those values"}
    

Deploy an echo service

To proxy requests, you need an upstream application to send a request to. Deploying this echo server provides a simple application that returns information about the Pod it’s running in:

kubectl apply -f https://docs.konghq.com/assets/kubernetes-ingress-controller/examples/echo-service.yaml

The results should look like this:

service/echo created
deployment.apps/echo created

Add routing configuration

Create routing configuration to proxy /echo requests to the echo server:

Gateway API
Ingress
echo "
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
  name: echo
  annotations:
    konghq.com/strip-path: 'true'
spec:
  parentRefs:
  - name: kong
  hostnames:
  - 'kong.example'
  rules:
  - matches:
    - path:
        type: PathPrefix
        value: /echo
    backendRefs:
    - name: echo
      kind: Service
      port: 1027
" | kubectl apply -f -
echo "
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: echo
  annotations:
    konghq.com/strip-path: 'true'
spec:
  ingressClassName: kong
  rules:
  - host: kong.example
    http:
      paths:
      - path: /echo
        pathType: ImplementationSpecific
        backend:
          service:
            name: echo
            port:
              number: 1027
" | kubectl apply -f -

The results should look like this:

Gateway API
Ingress
httproute.gateway.networking.k8s.io/echo created
ingress.networking.k8s.io/echo created

Test the routing rule:

curl -i -H 'Host:kong.example' $PROXY_IP/echo

The results should look like this:

HTTP/1.1 200 OK
Content-Type: text/plain; charset=utf-8
Content-Length: 140
Connection: keep-alive
Date: Fri, 21 Apr 2023 12:24:55 GMT
X-Kong-Upstream-Latency: 0
X-Kong-Proxy-Latency: 1
Via: kong/3.2.2

Welcome, you are connected to node docker-desktop.
Running on Pod echo-7f87468b8c-tzzv6.
In namespace default.
With IP address 10.1.0.237.
...

If everything is deployed correctly, you should see the above response. This verifies that Kong Gateway can correctly route traffic to an application running inside Kubernetes.

Add TLS configuration

The routing configuration can include a certificate to present when clients connect over HTTPS. This is not required, as Kong Gateway will serve a default certificate if it cannot find another, but including TLS configuration along with routing configuration is typical.

  1. Create a test certificate for the kong.example hostname.

    OpenSSL 1.1.1
    OpenSSL 0.9.8
    openssl req -subj '/CN=kong.example' -new -newkey rsa:2048 -sha256 \
      -days 365 -nodes -x509 -keyout server.key -out server.crt \
      -addext "subjectAltName = DNS:kong.example" \
      -addext "keyUsage = digitalSignature" \
      -addext "extendedKeyUsage = serverAuth" 2> /dev/null;
      openssl x509 -in server.crt -subject -noout
    openssl req -subj '/CN=kong.example' -new -newkey rsa:2048 -sha256 \
      -days 365 -nodes -x509 -keyout server.key -out server.crt \
      -extensions EXT -config <( \
       printf "[dn]\nCN=kong.example\n[req]\ndistinguished_name = dn\n[EXT]\nsubjectAltName=DNS:kong.example\nkeyUsage=digitalSignature\nextendedKeyUsage=serverAuth") 2>/dev/null;
      openssl x509 -in server.crt -subject -noout

    The results should look like this:

    OpenSSL 1.1.1
    OpenSSL 0.9.8
    subject=CN = kong.example
    subject=CN = kong.example

    Older OpenSSL versions, including the version provided with OS X Monterey, require using the alternative version of this command.

  2. Create a Secret containing the certificate.
     kubectl create secret tls kong.example --cert=./server.crt --key=./server.key
    

    The results should look like this:

     secret/kong.example created
    
  3. Update your routing configuration to use this certificate.

    Ingress
    Gateway API
    kubectl patch --type json ingress echo -p='[{
        "op":"add",
    	"path":"/spec/tls",
    	"value":[{
            "hosts":["kong.example"],
    		"secretName":"kong.example"
        }]
    }]'
    kubectl patch --type=json gateway kong -p='[{
        "op":"add",
        "path":"/spec/listeners/-",
        "value":{
            "name":"proxy-ssl",
            "port":443,
            "protocol":"HTTPS",
            "tls":{
                "certificateRefs":[{
                    "group":"",
                    "kind":"Secret",
                    "name":"kong.example"
                }]
            }
        }
    }]'
    

    The results should look like this:

    Ingress
    Gateway API
    ingress.networking.k8s.io/echo patched
    gateway.gateway.networking.k8s.io/kong patched
  4. Send requests to verify if the configured certificate is served.

     curl -ksv https://kong.example/echo --resolve kong.example:443:$PROXY_IP 2>&1 | grep -A1 "certificate:"
    

    The results should look like this:

     * Server certificate:
     *  subject: CN=kong.example
    

Configure a HTTPS redirect

Kong handles HTTPS redirects by automatically issuing redirects to requests whose characteristics match a HTTPS-only route except for the protocol. For example, with a Kong route such as this:

{ "protocols": ["https"], "hosts": ["kong.example"],
  "https_redirect_status_code": 301, "paths": ["/echo/"], "name": "example" }

A request for http://kong.example/echo/green receives a 301 response with a Location: https://kong.example/echo/green header. Kubernetes resource annotations instruct the controller to create a route with protocols=[https] and https_redirect_status_code set to the code of your choice (the default if unset is 426).

  1. Configure the protocols that are allowed in the konghq.com/protocols annotation.

    Gateway API
    Ingress
    kubectl annotate httproute echo konghq.com/protocols=https
    kubectl annotate ingress echo konghq.com/protocols=https

    The results should look like this:

    Gateway API
    Ingress
    httproute.gateway.networking.k8s.io/echo annotated
    ingress.networking.k8s.io/echo annotated
  2. Configure the status code used to redirect in the konghq.com/https-redirect-status-code` annotation.

    Gateway API
    Ingress
    kubectl annotate httproute echo konghq.com/https-redirect-status-code="301"
    kubectl annotate ingress echo konghq.com/https-redirect-status-code="301"

    The results should look like this:

    Gateway API
    Ingress
    httproute.gateway.networking.k8s.io/echo annotated
    ingress.networking.k8s.io/echo annotated

Note: The GatewayAPI does not use a HTTPRequestRedirectFilter to configure the redirect. Using the filter to redirect HTTP to HTTPS requires a separate HTTPRoute to handle redirected HTTPS traffic, which does not align well with Kong’s single route redirect model.

Work to support the standard filter-based configuration is ongoing. Until then, the annotations allow you to configure HTTPS-only HTTPRoutes.

Test the configuration

With the redirect configuration in place, HTTP requests now receive a redirect rather than being proxied upstream:

  1. Send a HTTP request.
     curl -ksvo /dev/null http://kong.example/echo --resolve kong.example:80:$PROXY_IP 2>&1 | grep -i http
    

    The results should look like this:

     > GET /echo HTTP/1.1
     < HTTP/1.1 301 Moved Permanently
     < Location: https://kong.example/echo
    
  2. Send a curl request to follow redirects using the -L flag navigates to the HTTPS URL and receive a proxied response from upstream.

     curl -Lksv http://kong.example/echo --resolve kong.example:80:$PROXY_IP --resolve kong.example:443:$PROXY_IP 2>&1
    

    The results should look like this (some output removed for brevity):

     > GET /echo HTTP/1.1
     > Host: kong.example
     >
     < HTTP/1.1 301 Moved Permanently
     < Location: https://kong.example/echo
     < Server: kong/3.4.2
        
     * Issue another request to this URL: 'https://kong.example/echo'
    
     * Server certificate:
     *  subject: CN=kong.example
         
     > GET /echo HTTP/2
     > Host: kong.example
     >
     < HTTP/2 200
     < via: kong/3.4.2
     <
     Welcome, you are connected to node kind-control-plane.
     Running on Pod echo-74d47cc5d9-pq2mw.
     In namespace default.
     With IP address 10.244.0.7.
    

Kong correctly serves the request only on HTTPS protocol and redirects the user if the HTTP protocol is used. The -k flag in cURL skips certificate validation as the certificate served by Kong is a self-signed one. If you are serving this traffic through a domain that you control and have configured TLS properties for it, then the flag won’t be necessary.

Thank you for your feedback.
Was this page useful?
Too much on your plate? close cta icon
More features, less infrastructure with Kong Konnect. 1M requests per month for free.
Try it for Free
  • Kong
    Powering the API world

    Increase developer productivity, security, and performance at scale with the unified platform for API management, service mesh, and ingress controller.

    • Products
      • Kong Konnect
      • Kong Gateway Enterprise
      • Kong Gateway
      • Kong Mesh
      • Kong Ingress Controller
      • Kong Insomnia
      • Product Updates
      • Get Started
    • Documentation
      • Kong Konnect Docs
      • Kong Gateway Docs
      • Kong Mesh Docs
      • Kong Insomnia Docs
      • Kong Konnect Plugin Hub
    • Open Source
      • Kong Gateway
      • Kuma
      • Insomnia
      • Kong Community
    • Company
      • About Kong
      • Customers
      • Careers
      • Press
      • Events
      • Contact
  • Terms• Privacy• Trust and Compliance
© Kong Inc. 2025