From 9f6d3d0ae466eb82905cbd67dd36feb6e5b6e9a3 Mon Sep 17 00:00:00 2001 From: Jonathan Buch Date: Tue, 24 Feb 2026 16:16:21 +0100 Subject: [PATCH 1/3] REORG/MINOR: restructure redirect rule creation for clarity * Split host and SSL redirects conceptually, as they do distinct things. The SSL redirect does not look at the host setting when redirecting. --- pkg/haproxy/rules/reqRequestRedirect.go | 34 +++++++++++++++++++------ 1 file changed, 26 insertions(+), 8 deletions(-) diff --git a/pkg/haproxy/rules/reqRequestRedirect.go b/pkg/haproxy/rules/reqRequestRedirect.go index d9bac63b..27a343d5 100644 --- a/pkg/haproxy/rules/reqRequestRedirect.go +++ b/pkg/haproxy/rules/reqRequestRedirect.go @@ -26,21 +26,39 @@ func (r RequestRedirect) Create(client api.HAProxyClient, frontend *models.Front if frontend.Mode == "tcp" { return errors.New("request redirection cannot be configured in TCP mode") } - var rule string + var httpRule models.HTTPRequestRule if r.SSLRedirect { - rule = fmt.Sprintf("https://%%[hdr(host),field(1,:)]:%d%%[capture.req.uri]", r.RedirectPort) + httpRule = r.sslRedirect() } else { - scheme := "http" - if r.SSLRequest { - scheme = "https" - } - rule = fmt.Sprintf(scheme+"://%s%%[capture.req.uri]", r.Host) + httpRule = r.hostRedirect() } + + return client.FrontendHTTPRequestRuleCreate(0, frontend.Name, httpRule, ingressACL) +} + +func (r RequestRedirect) sslRedirect() models.HTTPRequestRule { + rule := fmt.Sprintf("https://%%[hdr(host),field(1,:)]:%d%%[capture.req.uri]", r.RedirectPort) httpRule := models.HTTPRequestRule{ Type: "redirect", RedirCode: utils.PtrInt64(r.RedirectCode), RedirValue: rule, RedirType: "location", } - return client.FrontendHTTPRequestRuleCreate(0, frontend.Name, httpRule, ingressACL) + + return httpRule +} + +func (r RequestRedirect) hostRedirect() models.HTTPRequestRule { + scheme := "http" + if r.SSLRequest { + scheme = "https" + } + rule := fmt.Sprintf(scheme+"://%s%%[capture.req.uri]", r.Host) + httpRule := models.HTTPRequestRule{ + Type: "redirect", + RedirCode: utils.PtrInt64(r.RedirectCode), + RedirValue: rule, + RedirType: "location", + } + return httpRule } From f82d4e971aeeb5307dbe0b68e352e4df26992a58 Mon Sep 17 00:00:00 2001 From: Jonathan Buch Date: Tue, 24 Feb 2026 16:20:50 +0100 Subject: [PATCH 2/3] MEDIUM: revise SSL redirection if redirecting to default HTTPS port * The default for the controller is to generate redirects to port 8443, as this port can be bound to in a rootless container. * Running the container in a Kubernetes setting having a service port mapping to port 443 introduces the need to change this default configuration. * Having the default HTTPS port 443 appended to the redirect breaks certain caching behaviors and is thus not ideal. * This commit aims to purely switch the scheme from HTTP to HTTPS without changing anything else about the request, the only user visible change being that the :443 in the redirect URL is no longer visible. * fixes #642 --- pkg/haproxy/rules/reqRequestRedirect.go | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/pkg/haproxy/rules/reqRequestRedirect.go b/pkg/haproxy/rules/reqRequestRedirect.go index 27a343d5..1eceff44 100644 --- a/pkg/haproxy/rules/reqRequestRedirect.go +++ b/pkg/haproxy/rules/reqRequestRedirect.go @@ -18,6 +18,8 @@ type RequestRedirect struct { SSLRedirect bool } +const DefaultHTTPSPort = 443 + func (r RequestRedirect) GetType() Type { return REQ_REDIRECT } @@ -37,14 +39,18 @@ func (r RequestRedirect) Create(client api.HAProxyClient, frontend *models.Front } func (r RequestRedirect) sslRedirect() models.HTTPRequestRule { - rule := fmt.Sprintf("https://%%[hdr(host),field(1,:)]:%d%%[capture.req.uri]", r.RedirectPort) httpRule := models.HTTPRequestRule{ - Type: "redirect", - RedirCode: utils.PtrInt64(r.RedirectCode), - RedirValue: rule, - RedirType: "location", + Type: "redirect", + RedirCode: utils.PtrInt64(r.RedirectCode), + } + if r.RedirectPort == DefaultHTTPSPort { + httpRule.RedirType = "scheme" + httpRule.RedirValue = "https" + } else { + rule := fmt.Sprintf("https://%%[hdr(host),field(1,:)]:%d%%[capture.req.uri]", r.RedirectPort) + httpRule.RedirType = "location" + httpRule.RedirValue = rule } - return httpRule } From 24cc55def0c2f1d1f2596a84e89d594d4e24050f Mon Sep 17 00:00:00 2001 From: Jonathan Buch Date: Wed, 4 Mar 2026 13:29:44 +0100 Subject: [PATCH 3/3] BUILD/MINOR: Add Kubernetes and HTTP for aspell --- .aspell.yml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.aspell.yml b/.aspell.yml index 48bb8664..0b8bda85 100644 --- a/.aspell.yml +++ b/.aspell.yml @@ -72,5 +72,7 @@ allowed: - userlist - tmp - kubectl + - Kubernetes + - HTTPS - PEM - redact