Bug 2002205

Summary: HTTPS redirect happens even if there is a more specific http-only route
Product: OpenShift Container Platform Reporter: Pablo Alonso Rodriguez <palonsor>
Component: NetworkingAssignee: Miheer Salunke <misalunk>
Networking sub component: router QA Contact: Arvind iyengar <aiyengar>
Status: CLOSED DUPLICATE Docs Contact:
Severity: medium    
Priority: medium CC: aos-bugs, hongli, misalunk, ops
Version: 4.7   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-09-08 16:14:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pablo Alonso Rodriguez 2021-09-08 09:03:55 UTC 
Description of problem:

Let's say we have 2 routes like this:
- HTTP-only route for "myapp.apps.example.com" domain and "/mypath" path
- HTTPS-edge-redirect route for "myapp.apps.example.com" and no path

In such situation, redirect is sent for any query to "myapp.apps.example.com", including "myapp.apps.example.com/mypath", so the more specific path route is not taking precedence as expected.

OpenShift release version:

4.7 (also reproduced on latest dev version)

Cluster Platform:

Any

How reproducible:

Always as per steps

Steps to Reproduce (in detail):
1. Create HTTP-only route for "myapp.apps.example.com" domain and "/mypath" path
2. Create HTTPS-edge-redirect route for "myapp.apps.example.com" and no path
3. "curl -v http://myapp.apps.example.com/mypath"


Actual results:

A redirect to https://myapp.apps.example.com/mypath

Expected results:

http://myapp.apps.example.com/mypath to serve plain http and serve whatever service is pointed by the HTTP-only more specific route.

Impact of the problem:

(check comments)

Additional info:

If we check this template fragment[1], we see that the redirect check is done before the use backend, so if there is a redirect route for which the hostname could match (even if it has less precedence than the http-only route), then the redirect is sent

[1] - https://github.com/openshift/router/blob/release-4.9/images/router/haproxy/conf/haproxy-config.template#L233
Comment 2 Miheer Salunke 2021-09-08 16:14:19 UTC 

*** This bug has been marked as a duplicate of bug 1896474 ***