Comments (6)
ivanmatmati
commented on July 3, 2024
Hi @ynuyasha , I'm looking at it and will get back to you with some news. Thanks for reporting.
from kubernetes-ingress.
ivanmatmati
commented on July 3, 2024
Can you indicate what you get in your /etc/haproxy/maps/path-prefix.map file with regards to these two ingress paths ? I'd also like to get the version number of the controller and if relevant of HAProxy (if modified).
from kubernetes-ingress.
ynuyasha
commented on July 3, 2024
------------------host.map---------------------------------
.domain.tld .domain.tld
argocd.domain.tld argocd.domain.tld
-----------------path-prefix.map------------------------------------------------------------
.domain.tld/ development_domain_https.dbe4b28f9c4404fc36a7ae76ead9a37d
argocd.domain.tld/ argocd_argocd-server_http.dbe4b28f9c4404fc36a7ae76ead9a37d
----------------sni.map---------------------------------------------------------------------
.domain.tld development_domain_https.dbe4b28f9c4404fc36a7ae76ead9a37d
--------------------------------------------------------------------------------------------
Image: haproxytech/kubernetes-ingress:1.10.4
Image ID: docker.io/haproxytech/kubernetes-ingress@sha256:a378e3999ae728422425947e98ba3cbf72fc076fcb79462d98902921d298d20f
from kubernetes-ingress.
ivanmatmati
commented on July 3, 2024
Hi @ynuyasha , can you paste the output of a verbose curl to the wrong redirection ? Can you also check the log output for the request ?
from kubernetes-ingress.
ynuyasha
commented on July 3, 2024
Hey @ivanmatmati unfortunately i don't have anymore this configuration online because i have switched from sni to http to go forward with the project, so i can't give you the curl but i have the haproxy logs with the wrong redirect:
172.30.106.217:57848 [16/Jan/2024:17:57:51.308] ssl development_domain_https/SRV_1 78/0/311 6130 -- 4/3/1/1/0 0/0 SNI: argocd.domain.tld
Anyway Daniel Epperson has also all hints about this issue
from kubernetes-ingress.
depperson
commented on July 3, 2024
Ingress Controller does this "fallback" behavior already if an incoming SNI is not matched on the ssl-passthrough listener (frontend ssl). The problem you were facing is that the your Ingress object with ssl-passthrough enabled was *.domain.tld so it always matched before any subdomains could be evaluated by the later frontend https.
To work around the issue you would need to not use the wildcard *.domain.tld in the ssl-passthrough Ingress object and instead specify each domain which need to use passthrough.
I think what you need is a "fallback" service with ssl-passthrough after all other options have been evaluated. For example a.domain.tld goes to svc a and b.domain.tld goes to svc b (both with SSL termination at IC) but anything else not matched by Ingress objects should fall back to svc sslpass with ssl passthrough enabled. Perhaps if "frontend ssl" was evaluated after "frontend https" this would do what you're asking?
from kubernetes-ingress.
Related Issues (20)
- Annotation haproxy.org/route-acl disrupts path resolution when we have many paths for a domain HOT 3
- --http-bind-port=80 does not work. binds on 8080 HOT 12
- support for blue green deployments using weights based on headers or cookies HOT 1
- Tcp log format release HOT 1
- File transmission reset every one minute. HOT 5
- Backend maxconn config not working properly when running multiple ingress controllers HOT 1
- Falls back to HTTP-over-443 if the ConfigMap specified through --configmap is missing (even with --disable-http option) HOT 5
- Global option `tune_ssl_default_dh_param` has no effect HOT 3
- Not able to add `send-proxy` option to a TCP service HOT 2
- In TCP service sometime we get client_ip as an internal ip how can we get an external ip in tcp log HOT 5
- default-local-service_http error setting check: true on cr-backend HOT 5
- Default certificate does not exist HOT 6
- Configure accept-proxy HOT 4
- Inconsitent balancing HOT 11
- --ipv6-bind-address causes 'bind' missing port specification in HOT 3
- Latest versions of each HAProxy release are not available in ingress HOT 3
- binding to privileged port fail HOT 1
- feature request: geoip HOT 1
- "request-redirect" annotation always redirects to http HOT 2
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from kubernetes-ingress.