Redirect HTTP to HTTPS

Related Documentation
Related Resources
TL;DR

Configure an ExternalName service, then create an HTTPRoute to route traffic to the service.

Prerequisites

If you don’t have a Konnect account, you can get started quickly with our onboarding wizard.

  1. The following Konnect items are required to complete this tutorial:
    • Personal access token (PAT): Create a new personal access token by opening the Konnect PAT page and selecting Generate Token.
  2. Set the personal access token as an environment variable:

    export KONNECT_TOKEN='YOUR KONNECT TOKEN'
    
    Copied to clipboard!

Create an HTTPRoute

To route HTTP traffic, you need to create an HTTPRoute or an Ingress resource pointing at your Kubernetes Service.

Add TLS configuration

The routing configuration can include a certificate to present when clients connect over HTTPS. This is not required, as Kong Gateway will serve a default certificate if it cannot find another, but including TLS configuration along with routing configuration is typical.

  1. Create a test certificate for the example.com hostname. This will be used to secure TLS traffic.

    Older OpenSSL versions, including the version provided with macOS Monterey, require using the alternative version of this command.

  2. Create a Secret containing the certificate:
     kubectl create secret -n kong tls example.com --cert=./server.crt --key=./server.key
    
    Copied to clipboard!
  3. Update your routing configuration to use this certificate:

  4. Send requests to verify if the configured certificate is served:

     curl -ksv https://example.com/echo --resolve example.com:443:$PROXY_IP 2>&1 | grep -A1 "certificate:"
    
    Copied to clipboard!

    The results should look like this:

     * Server certificate:
     *  subject: CN=example.com
    

Configure an HTTPS redirect

Kong Gateway handles HTTPS redirects by automatically issuing redirects to requests whose characteristics match an HTTPS-only route except for the protocol. For example, with a Kong Gateway Route like the following:

{ "protocols": ["https"], "hosts": ["example.com"],
  "https_redirect_status_code": 301, "paths": ["/echo/"], "name": "example" }

A request for http://example.com/echo/green receives a 301 response with a Location: https://example.com/echo/green header. Kubernetes resource annotations instruct the controller to create a route with protocols=[https] and https_redirect_status_code set to the code of your choice (the default if unset is 426).

  1. Configure the protocols that are allowed in the konghq.com/protocols annotation:

  2. Configure the status code used to redirect in the konghq.com/https-redirect-status-code annotation:

Note: Kong Ingress Controller does not use a HTTPRequestRedirectFilter to configure the redirect. Using the filter to redirect HTTP to HTTPS requires a separate HTTPRoute to handle redirected HTTPS traffic, which doesn’t align well with Kong Gateway’s single Route redirect model.

Work to support the standard filter-based configuration is ongoing. Until then, the annotations allow you to configure HTTPS-only HTTPRoutes.

Validate your configuration

With the redirect configuration in place, HTTP requests now receive a redirect rather than being proxied upstream:

  1. Send an HTTP request:
     curl -ksvo /dev/null http://example.com/echo --resolve example.com:80:$PROXY_IP 2>&1 | grep -i http
    
    Copied to clipboard!

    The results should look like this:

     > GET /echo HTTP/1.1
     < HTTP/1.1 301 Moved Permanently
     < Location: https://example.com/echo
    
  2. Send a curl request to follow redirects using the -L flag. This navigates to the HTTPS URL and receives a proxied response from the upstream.

     curl -Lksv http://example.com/echo --resolve example.com:80:$PROXY_IP --resolve example.com:443:$PROXY_IP 2>&1
    
    Copied to clipboard!

    The results should look like this (some output removed for brevity):

     > GET /echo HTTP/1.1
     > Host: example.com
     >
     < HTTP/1.1 301 Moved Permanently
     < Location: https://example.com/echo
     < Server: kong/3.4.2
        
     * Issue another request to this URL: 'https://example.com/echo'
    
     * Server certificate:
     *  subject: CN=example.com
         
     > GET /echo HTTP/2
     > Host: example.com
     >
     < HTTP/2 200
     < via: kong/3.4.2
     <
     Welcome, you are connected to node kind-control-plane.
     Running on Pod echo-74d47cc5d9-pq2mw.
     In namespace default.
     With IP address 10.244.0.7.
    

Kong Gateway correctly serves the request only on the HTTPS protocol and redirects the user if the HTTP protocol is used. The -k flag in cURL skips certificate validation as the certificate is served by Kong Gateway is a self-signed one. If you are serving this traffic through a domain that you control and have configured TLS properties for it, then the flag won’t be necessary.

Cleanup

kubectl delete -n kong -f https://developer.konghq.com/manifests/kic/echo-service.yaml
Copied to clipboard!

Did this doc help?

Something wrong?

Help us make these docs great!

Kong Developer docs are open source. If you find these useful and want to make them better, contribute today!