HTTPS redirect for front proxy

[Richard Lincoln]

I successfully modified the front-proxy example for my site and extended it with TLS configuration. It works over https, but I would like it to redirect http connections to https. I tried adding require_tls: ALL but it doesn't seem to have any effect. This is my config for the front proxy:

static_resources:

  listeners:

  - address:

      socket_address:

        address: 0.0.0.0

        port_value: 80

    filter_chains:

    - filters:

      - name: envoy.http_connection_manager

        config:

          codec_type: auto

          stat_prefix: ingress_http

          route_config:

            name: local_route

            virtual_hosts:

            - name: backend

              domains:

              - "*"

              require_tls: ALL

              routes:

              - match:

                  prefix: "/"

                route:

                  cluster: fileserver

          http_filters:

          - name: envoy.router

            config: {}

      tls_context:

        common_tls_context:

          alpn_protocols: "h2,http/1.1"

          tls_certificates:

          - certificate_chain: { filename: "/etc/ssl/certs/website.company.crt" }

            private_key: { filename: "/etc/ssl/certs/website.company.key" }

          validation_context:

            trusted_ca: { filename: "/etc/ssl/certs/ca-certificates.crt" }

  clusters:

  - name: fileserver

    connect_timeout: 0.25s

    type: strict_dns

    lb_policy: round_robin

    http2_protocol_options: {}

    hosts:

    - socket_address:

        address: fileserver

        port_value: 80

admin:

  access_log_path: "/dev/null"

  address:

    socket_address:

      address: 0.0.0.0

      port_value: 8001

In my docker-compose.yml both port 80 and 443 are mapped to port 80 of the Envoy container:

version: "2"

services:

  front-envoy:

    image: $FRONT_ENVOY_CONTAINER_IMAGE

    networks:

      - envoymesh

    expose:

      - "80"

      - "8001"

    ports:

      - "80:80"

      - "443:80"

    volumes:

      - /root/.lego/certificates/website.company.crt:/etc/ssl/certs/website.company.crt

      - /root/.lego/certificates/website.company.key:/etc/ssl/certs/website.company.key

  fileserver:

    image: $FILESERVER_CONTAINER_IMAGE

    networks:

      envoymesh:

        aliases:

          - fileserver

    environment:

      - SERVICE_NAME=fileserver

    expose:

      - "80"

networks:

  envoymesh: {}

Can anyone point out to me what I'm doing wrong? It would be very much appreciated.

Regards,

Richard

[Richard Lincoln]

I was able to solve this by creating a second listener with a redirect route:

static_resources:

  listeners:

  - address:

      socket_address:

        address: 0.0.0.0

        port_value: 80

    filter_chains:

    - filters:

      - name: envoy.http_connection_manager

        config:

          codec_type: auto

          stat_prefix: ingress_http

          route_config:

            name: local_route

            virtual_hosts:

            - name: backend

              domains:

              - "*"

              routes:

              - match: { prefix: "/" }

                redirect: { https_redirect: true }

          http_filters:

          - name: envoy.router

            config: {}

  - address:

      socket_address:

        address: 0.0.0.0

        port_value: 443

<snip>

The docker-compose.yml file then maps to the separate listeners:

version: "2"

services:

  front-envoy:

    image: $FRONT_ENVOY_CONTAINER_IMAGE

    networks:

      - envoymesh

    expose:

      - "80"

      - "8001"

    ports:

      - "80:80"

      - "443:443"

    volumes:

<snip>