Fix NGINX sslredirect annotation support
Co-authored-by: Michael <michael.matur@gmail.com>
This commit is contained in:
Romain
GitHub
parent
653b105cb7
commit
0a3239463b
2 changed files with 38 additions and 32 deletions
|
|
@ -942,39 +942,50 @@ func applySSLRedirectConfiguration(routerName string, ingressConfig ingressConfi
|
||||||
|
|
||||||
sslRedirect := ptr.Deref(ingressConfig.SSLRedirect, hasTLS)
|
sslRedirect := ptr.Deref(ingressConfig.SSLRedirect, hasTLS)
|
||||||
|
|
||||||
if !forceSSLRedirect && !sslRedirect {
|
if hasTLS {
|
||||||
if hasTLS {
|
// An Ingress with TLS configuration creates only a Traefik router with a TLS configuration,
|
||||||
httpRouter := &dynamic.Router{
|
// so no Non-TLS router exists to handle HTTP traffic, and we should create it.
|
||||||
Rule: rt.Rule,
|
httpRouter := &dynamic.Router{
|
||||||
// "default" stands for the default rule syntax in Traefik v3, i.e. the v3 syntax.
|
Rule: rt.Rule,
|
||||||
RuleSyntax: "default",
|
// "default" stands for the default rule syntax in Traefik v3, i.e. the v3 syntax.
|
||||||
Middlewares: rt.Middlewares,
|
RuleSyntax: "default",
|
||||||
Service: rt.Service,
|
Middlewares: rt.Middlewares,
|
||||||
}
|
Service: rt.Service,
|
||||||
|
}
|
||||||
|
conf.HTTP.Routers[routerName+"-http"] = httpRouter
|
||||||
|
|
||||||
conf.HTTP.Routers[routerName+"-http"] = httpRouter
|
// If either forceSSLRedirect or sslRedirect are enabled,
|
||||||
|
// the HTTP router needs to redirect to HTTPS.
|
||||||
|
if forceSSLRedirect || sslRedirect {
|
||||||
|
redirectMiddlewareName := routerName + "-redirect-scheme"
|
||||||
|
conf.HTTP.Middlewares[redirectMiddlewareName] = &dynamic.Middleware{
|
||||||
|
RedirectScheme: &dynamic.RedirectScheme{
|
||||||
|
Scheme: "https",
|
||||||
|
ForcePermanentRedirect: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
httpRouter.Middlewares = []string{redirectMiddlewareName}
|
||||||
|
httpRouter.Service = "noop@internal"
|
||||||
}
|
}
|
||||||
|
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
|
||||||
redirectRouter := &dynamic.Router{
|
// An Ingress with no TLS configuration and forceSSLRedirect annotation should always redirect on HTTPS,
|
||||||
Rule: rt.Rule,
|
// even if no route exists for HTTPS.
|
||||||
// "default" stands for the default rule syntax in Traefik v3, i.e. the v3 syntax.
|
if forceSSLRedirect {
|
||||||
RuleSyntax: "default",
|
redirectMiddlewareName := routerName + "-redirect-scheme"
|
||||||
Service: "noop@internal",
|
conf.HTTP.Middlewares[redirectMiddlewareName] = &dynamic.Middleware{
|
||||||
|
RedirectScheme: &dynamic.RedirectScheme{
|
||||||
|
Scheme: "https",
|
||||||
|
ForcePermanentRedirect: true,
|
||||||
|
},
|
||||||
|
}
|
||||||
|
rt.Middlewares = append([]string{redirectMiddlewareName}, rt.Middlewares...)
|
||||||
}
|
}
|
||||||
|
|
||||||
redirectMiddlewareName := routerName + "-redirect-scheme"
|
// An Ingress that is not forcing sslRedirect and has no TLS configuration does not redirect,
|
||||||
conf.HTTP.Middlewares[redirectMiddlewareName] = &dynamic.Middleware{
|
// even if sslRedirect is enabled.
|
||||||
RedirectScheme: &dynamic.RedirectScheme{
|
|
||||||
Scheme: "https",
|
|
||||||
ForcePermanentRedirect: true,
|
|
||||||
},
|
|
||||||
}
|
|
||||||
redirectRouter.Middlewares = append(redirectRouter.Middlewares, redirectMiddlewareName)
|
|
||||||
|
|
||||||
conf.HTTP.Routers[routerName+"-redirect"] = redirectRouter
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func applyForwardAuthConfiguration(routerName string, ingressConfig ingressConfig, rt *dynamic.Router, conf *dynamic.Configuration) error {
|
func applyForwardAuthConfiguration(routerName string, ingressConfig ingressConfig, rt *dynamic.Router, conf *dynamic.Configuration) error {
|
||||||
|
|
|
||||||
|
|
@ -175,7 +175,7 @@ func TestLoadIngresses(t *testing.T) {
|
||||||
TLS: &dynamic.RouterTLSConfig{},
|
TLS: &dynamic.RouterTLSConfig{},
|
||||||
Service: "default-ingress-with-ssl-redirect-whoami-80",
|
Service: "default-ingress-with-ssl-redirect-whoami-80",
|
||||||
},
|
},
|
||||||
"default-ingress-with-ssl-redirect-rule-0-path-0-redirect": {
|
"default-ingress-with-ssl-redirect-rule-0-path-0-http": {
|
||||||
Rule: "Host(`sslredirect.localhost`) && Path(`/`)",
|
Rule: "Host(`sslredirect.localhost`) && Path(`/`)",
|
||||||
RuleSyntax: "default",
|
RuleSyntax: "default",
|
||||||
Middlewares: []string{"default-ingress-with-ssl-redirect-rule-0-path-0-redirect-scheme"},
|
Middlewares: []string{"default-ingress-with-ssl-redirect-rule-0-path-0-redirect-scheme"},
|
||||||
|
|
@ -193,15 +193,10 @@ func TestLoadIngresses(t *testing.T) {
|
||||||
Service: "default-ingress-without-ssl-redirect-whoami-80",
|
Service: "default-ingress-without-ssl-redirect-whoami-80",
|
||||||
},
|
},
|
||||||
"default-ingress-with-force-ssl-redirect-rule-0-path-0": {
|
"default-ingress-with-force-ssl-redirect-rule-0-path-0": {
|
||||||
Rule: "Host(`forcesslredirect.localhost`) && Path(`/`)",
|
|
||||||
RuleSyntax: "default",
|
|
||||||
Service: "default-ingress-with-force-ssl-redirect-whoami-80",
|
|
||||||
},
|
|
||||||
"default-ingress-with-force-ssl-redirect-rule-0-path-0-redirect": {
|
|
||||||
Rule: "Host(`forcesslredirect.localhost`) && Path(`/`)",
|
Rule: "Host(`forcesslredirect.localhost`) && Path(`/`)",
|
||||||
RuleSyntax: "default",
|
RuleSyntax: "default",
|
||||||
Middlewares: []string{"default-ingress-with-force-ssl-redirect-rule-0-path-0-redirect-scheme"},
|
Middlewares: []string{"default-ingress-with-force-ssl-redirect-rule-0-path-0-redirect-scheme"},
|
||||||
Service: "noop@internal",
|
Service: "default-ingress-with-force-ssl-redirect-whoami-80",
|
||||||
},
|
},
|
||||||
},
|
},
|
||||||
Middlewares: map[string]*dynamic.Middleware{
|
Middlewares: map[string]*dynamic.Middleware{
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue