Hello Javier,
Use an Ingress object in GKE . See here for the steps :https://cloud.google.com/kubernetes-engine/docs/how-to/load-balance-ingress
The will automatically create also "external load balancer" .
The ingress definition would look like the below snippet
Storing TLS certificate/private key into a Kubernetes Secret
kubectl create --namespace gke-system secret tls SECRET_NAME \
--key privkey.pem \
--cert fullchain.pem
------------
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: iagingressresource
annotations:
# If the class annotation is not specified it defaults to "gce".
kubernetes.io/ingress.class: "gce"
kubernetes.io/ingress.allow-http: "false" # If disabling HTTP is needed
spec:
tls:
- secretName: secret-name # to be generated
rules:
- http:
paths:
- path: /
backend:
serviceName: iag
servicePort: 8443
-------------------
The Service yaml
#
# The service description of the IAG service.
#
apiVersion: v1
kind: Service
metadata:
name: iag
spec:
ports:
- port: 8443
name: iag
protocol: TCP
selector:
app: iag
-------
Kind regards,
Serge Vereecke
------------------------------
Serge Vereecke
------------------------------
Original Message:
Sent: Fri October 02, 2020 02:44 AM
From: Javier Garcia Pazos
Subject: IBM Application Gateway redirection from http to https
Hello Serge,
I don't have a lot of experience using Ingress in Kubernetes. In fact, I am moving from docker swarm to GKE and I need a piece like IAG. So how is the best way to use IAG in Kubernetes? Exposing it as LoadBalancer or using one Ingress?
Regards
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Fri October 02, 2020 02:33 AM
From: Serge Vereecke
Subject: IBM Application Gateway redirection from http to https
Hello
As Jon explained, the redirect from HTTP to HTTPS will also depend on the environment where you are deploying the IAG containers.
Here is an example of an Ingress definition (IBM Kubernetes service) , where you can see the annotation , which causes that HTTP traffic is being redirected to HTTPS traffic. So (VPC) Load balancers, Application load balancers ,... all determine what traffic is arriving at the IAG container.
Key is the understanding of the setup and the nodes which the request is travelling through.
---
kind: Ingress
metadata:
name: iagingressresource
annotations:
ingress.bluemix.net/redirect-to-https: "True"
Kind regards,
Serge Vereecke
------------------------------
Serge Vereecke
Original Message:
Sent: Thu October 01, 2020 10:15 AM
From: Javier Garcia Pazos
Subject: IBM Application Gateway redirection from http to https
Thank you very much Jon,
I will try it but it was just a test.
Regards
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Thu October 01, 2020 09:55 AM
From: Jon Harry
Subject: IBM Application Gateway redirection from http to https
Hi Javier,
I suspect you'll only be able to access public resources over HTTP. As soon as authentication is required, IAG looks for authentication mechanisms that are enabled for the protocol you're accessing with. Since OIDC is the only supported authentication mechanism and it requires a secure connection, you just get back forbidden.
If you add policies to allow public access to some pages you should be able to access those over HTTP.
If you want to allow user to be redirected over HTTPS only when they access a protected page, you can modify the Forbidden page and add client-side JavaScript that redirects to HTTPS URL if not currently using HTTPS.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Thu October 01, 2020 09:40 AM
From: Javier Garcia Pazos
Subject: IBM Application Gateway redirection from http to https
Hello again Jon,
I wanted to try http connection (not redirection to https) but when I try to access a resource, I get a "Forbidden page". If I go through https, it works as expected. Is it possible to go through http?
Regards
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Thu October 01, 2020 07:22 AM
From: Javier Garcia Pazos
Subject: IBM Application Gateway redirection from http to https
Thank you very much Jon. It works.
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Thu October 01, 2020 05:30 AM
From: Jon Harry
Subject: IBM Application Gateway redirection from http to https
Hi Javier,
I had a proper look at this and was able to get it working.
First of all, I found that the "protocols" configuration didn't work in the 20.01 version I was initially testing with. I had to use 20.07 version.
To get IAG to listen on HTTP port, I added this to the server section of configuration:
server
protocols:
- http
- https
I also had to add the following to advanced configuration:
advanced:
configuration:
- stanza: server
entry: redirect-http-to-https
operation: set
value: [ true ]
- stanza: server
entry: web-http-port
operation: set
value: ["80"]
- stanza: server
entry: web-https-port
operation: set
value: ["443"]
The first advanced configuration enables the redirect function. The other two tell the IAG the ports that are being used externally so that its redirects are built for the correct location.
For ports publishing, I user 127.0.0.1:80:8080 and 127.0.0.1:443:8443.
I hope this help you get the function that you need.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Thu October 01, 2020 02:18 AM
From: Javier Garcia Pazos
Subject: IBM Application Gateway redirection from http to https
Hello Jon
I am so sorry because I couldn't answer, I was on holidays.
I tried your solution, but I can't access port 8080 or 80. I tried it in docker and kubernetes but in both cases, I can access 8443 but I can't 8080 as documentation says, nor 80.
For your knowledge, in docker I tried to publish 8443 and 8080 or 80 using the publish flag.
Regards
------------------------------
Javier Garcia Pazos
Original Message:
Sent: Fri September 18, 2020 03:19 AM
From: Jon Harry
Subject: IBM Application Gateway redirection from http to https
Just as a quick follow-up...
Setting the IAG to respond to HTTP requests with a re-direct to HTTPS will only work if the client browser can reach port 80 on the IAG for it to respond.
You'll need to make sure that this port is exposed as a service from the container and that it is being forwarded through the Load Balancer.
I have read in some places about ability to perform HTTP->HTTPS redirect within the load balancer itself. I assume this depends on the environment and the options available in the Load Balancer (or the ingress that sits behind it if applicable).
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Fri September 18, 2020 12:28 AM
From: Scott Exton
Subject: IBM Application Gateway redirection from http to https
Javier,
It is possible to do this by setting the following advanced configuration parameter (ConfigurationMybluemix | remove preview |
| Configuration | This entry defines customize legacy reverse proxy daemon configuration entries. This configuration is applied last and can be used to overload parameters specified in other sections of the configuration YAML. This entry is an array and can be used to specify multiple tuning parameters. | View this on Mybluemix > |
|
|
)
advanced:
configuration:
- stanza: server
entry: redirect-http-to-https
operation: set
value: [ false ]
------------------------------
Scott Exton
IBM
Gold Coast
Original Message:
Sent: Thu September 17, 2020 03:44 AM
From: Javier Garcia Pazos
Subject: IBM Application Gateway redirection from http to https
Hello,
I am trying IAG in Kubernetes exposing IAG with a LoadBalancer Service. Is it possible to redirect all incoming connections from http to https?
Regards
------------------------------
Javier Garcia Pazos
------------------------------