origin: Unable to create HTTP and HTTPS routes that point to the same host but different services or backend ports

It looks like the new route uniqueness code that went in recently may be preventing the valid use case of having a secure and unsecure route for the same host.

Testing with unsecure and edge route:

[vagrant@openshiftdev openshift]$ oadm router --credentials="$KUBECONFIG" --service-account="default"
password for stats user admin has been set to skr6DjtK3G
deploymentconfigs/router
services/router

[vagrant@openshiftdev ~]$ git clone https://github.com/pweil-/hello-nginx-docker
[vagrant@openshiftdev ~]$ oc create -f hello-nginx-docker/openshift/nginx_pod.json 
pod "hello-nginx-docker" created
[vagrant@openshiftdev ~]$ oc create -f hello-nginx-docker/openshift/unsecure/service.json 
service "hello-nginx-http" created
[vagrant@openshiftdev ~]$ oc create -f hello-nginx-docker/openshift/unsecure/route.json 
route "route-unsecure" created
[vagrant@openshiftdev ~]$ curl -H Host:www.example.com 0.0.0.0
Hello World

[vagrant@openshiftdev ~]$ oc create -f hello-nginx-docker/openshift/edge/route.json 

[vagrant@openshiftdev ~]$ oc exec router-1-fexe1 -- cat /var/lib/haproxy/conf/os_edge_http_be.map
[vagrant@openshiftdev ~]$ oc exec router-1-fexe1 -- cat /var/lib/haproxy/conf/os_http_be.map
www.example.com default_route-unsecure
[vagrant@openshiftdev ~]$ oc exec router-1-fexe1 -- cat /var/lib/haproxy/conf/haproxy.config
<snip>
##-------------- app level backends ----------------





backend be_http_default_route-unsecure

  mode http
  option redispatch
  option forwardfor
  balance leastconn
  timeout check 5000ms
  http-request set-header X-Forwarded-Host %[req.hdr(host)]
  http-request set-header X-Forwarded-Port %[dst_port]
  http-request set-header X-Forwarded-Proto https if { ssl_fc }

    cookie OPENSHIFT_default_route-unsecure_SERVERID insert indirect nocache httponly
    http-request set-header X-Forwarded-Proto http

  http-request set-header Forwarded for=%[src],host=%[req.hdr(host)],proto=%[req.hdr(X-Forwarded-Proto)]

  server 172.17.0.5:80 172.17.0.5:80 check inter 5000ms cookie 172.17.0.5:80
``

About this issue

  • Original URL
  • State: closed
  • Created 9 years ago
  • Reactions: 1
  • Comments: 27 (22 by maintainers)

Most upvoted comments

Use case is defining both http://mysite.com and https://mysite.com where I allow a portion of my site to be unsecure. For instance a web app that allows you to go to their marketing area without https but uses https for the actual app itself.

The alternative here is to make the whole app secure if you need portion of the app secure. Not terrible but a bit inconvenient. Might be able to get around it by using path based routes.

+1
pweil- on Oct 6, 2015
Read more comments on GitHub
← origin: Unable to create CronJob using a Template
origin: unable to periodically refresh dnsmasq status: The name uk.org.thekelleys.dnsmasq was not provided by any .service files →