Question posted in
Some documentation to get you started can be found here.

How to redirect HTTP to HTTPS using GCP load balancer – Apache

I’m setting up my load balancer in GCP with 2 nodes (Apache httpd), with domain lblb.tonegroup.net.

Currently my load balancer is working fine, the traffic is switching over between the 2 nodes, but how do i configure to redirect http://lblb.tonegroup.net to https://lblb.tonegroup.net ?

Is it possible to configure it at the load balancer level or I need to configure it at apache level? I have Google Managed SSL cert installed FYI.

Tags:

7

Answers


  1. 0

    It is not possible to do that directly on GCP Load balancer.

    One possibility is to make the redirection on your backend service. GCP Loader balancer add x-forwarded-proto property in requests headers which is equal to http or https. You could add a condition based on this property to make a redirection.

    Login or Signup to reply.
  2. 0

    I believe the previous answer provided by Alexandre is correct; currently, it’s not possible to redirect all HTTP traffic to HTTPS when using the HTTP(S) Load Balancer. I have found a feature request already submitted for this feature; you can access it and add your comment using this link.

    You have also mentioned you are using Google managed SSL certificate but the only workaround I found is to redirect it in the Server level. In such scenario, you would have to use self-managed SSL certificate.

    To redirect HTTP URLs to HTTPS, do the following in Apache server:

    <VirtualHost *:80>
    ServerName www.example.com
    Redirect "/" "https://www.example.com/"
</VirtualHost>

<VirtualHost *:443>
    ServerName www.example.com
    # ... SSL configuration goes here
</VirtualHost>

    You would have to configure an Apache server configuration file. Refer to the apache.org documentation on Simple Redirection for more details.

    Login or Signup to reply.
  3. 0

    Maybe it’s too late, but I had the same problem and here my solution:

    1. Configure two frontends on GCP Load balancer(HTTP and HTTPS).
    2. Set port 80(http protocol) to communication to backend service and final VMs.
    3. On the backend service add the Google variable: {tls_version} as X-SSL-Protocol custom header.
    4. On final servers perform redirection based on X-SSL-Protocol value:
    5. If empty(no https), redirect(301), otherwise do nothing.

    You can check the header value on your web server or from an intermediate load balancer VM instance. My case with HAProxy:

    frontend fe_http
        bind *:80
        mode http
        #check if value is empty
        acl is_http res.hdr(X-SSL-Protocol) -m len 0
        #perform redirection only if no value found in custom header
        redirect scheme https code 301 if is_http
        #when redirect is performed, subsequent instructions are not reached
        default_backend bk_http1
    Login or Signup to reply.
  4. 0

    Right now the redirection from http to https is possible with the Load Balancer’s Traffic Management.

    Below is an example of how to set it up on their documentation:
    https://cloud.google.com/load-balancing/docs/https/setting-up-traffic-management#console

    Basically you will create two of each “forwarding rules”, targetproxy and urlmap.

    2 URLMaps

    • In 1st URL map you will just set a redirection. The define redirection rules are below and no backend service is needed to be define here
      • httpsRedirect: true
      • redirectResponseCode: FOUND
    • In 2nd map you will have to define your backend services there

    2 forwarding rules

    • 1st forwarding rule is to serve http request so basically port 80
    • 2nd forwarding rule is to serve http request so port 443

    2 targetproxy

    • 1st target proxy is targetHttpProxy, this will where the 1st forwarding rule is forwarded to and is mapped to the 1st URLMap
    • 2nd target proxy is targetHttpsProxy where the 2nd forwarding rule is forwarded to and is mapped to the 2nd URLMap

    ========================================================================

    Below is a Cloud Deployment Manager example with Managed Certificates and Storage Buckets as the backend

    storagebuckets-template.jinja

    resources:
- name: {{ properties["bucketExample"] }}
  type: storage.v1.bucket
  properties:
    storageClass: REGIONAL
    location: asia-east2
    cors:
    - origin: ["*"]
      method: [GET]
      responseHeader: [Content-Type]
      maxAgeSeconds: 3600
    defaultObjectAcl:
    - bucket: {{ properties["bucketExample"] }}
      entity: allUsers
      role: READER
    website:
     mainPageSuffix: index.html

    backendbuckets-template.jinja

    resources:
- name: {{ properties["bucketExample"] }}-backend
  type: compute.beta.backendBucket
  properties:
    bucketName: $(ref.{{ properties["bucketExample"] }}.name)
    enableCdn: true

    ipaddresses-template.jinja

    resources:
- name: lb-ipaddress
  type: compute.v1.globalAddress

    sslcertificates-template.jinja

    resources:
- name: example
  type: compute.v1.sslCertificate
  properties:
    type: MANAGED
    managed:
      domains:
      - example1.com
      - example2.com
      - example3.com

    loadbalancer-template.jinja

    resources:
- name: centralized-lb-http
  type: compute.v1.urlMap
  properties:
    defaultUrlRedirect:
      httpsRedirect: true
      redirectResponseCode: FOUND
- name: centralized-lb-https
  type: compute.v1.urlMap
  properties:
    defaultService: {{ properties["bucketExample"] }}
    pathMatchers:
    - name: example
      defaultService: {{ properties["bucketExample"] }}
      pathRules:
      - service: {{ properties["bucketExample"] }}
        paths:
        - /*
    hostRules:
    - hosts:
      - example1.com
      pathMatcher: example
    - hosts:
      - example2.com
      pathMatcher: example
    - hosts:
      - example3.com
      pathMatcher: example

    httpproxies-template.jinja

    resources:
- name: lb-http-proxy
  type: compute.v1.targetHttpProxy
  properties:
    urlMap: $(ref.centralized-lb-http.selfLink)
- name: lb-https-proxy
  type: compute.v1.targetHttpsProxy
  properties:
    urlMap: $(ref.centralized-lb-https.selfLink)
    sslCertificates: [$(ref.example.selfLink)]
- name: lb-http-forwardingrule
  type: compute.v1.globalForwardingRule
  properties:
    target: $(ref.lb-http-proxy.selfLink)
    IPAddress: $(ref.lb-ipaddress.address)
    IPProtocol: TCP
    portRange: 80-80
- name: lb-https-forwardingrule
  type: compute.v1.globalForwardingRule
  properties:
    target: $(ref.lb-https-proxy.selfLink)
    IPAddress: $(ref.lb-ipaddress.address)
    IPProtocol: TCP
    portRange: 443-443

    templates-bundle.yaml 

     imports:
 - path: backendbuckets-template.jinja
 - path: httpproxies-template.jinja
 - path: ipaddresses-template.jinja
 - path: loadbalancer-template.jinja
 - path: storagebuckets-template.jinja
 - path: sslcertificates-template.jinja

resources:
 - name: storagebuckets
   type: storagebuckets-template.jinja
   properties:
     bucketExample: example-sb
 - name: backendbuckets
   type: backendbuckets-template.jinja
   properties:
     bucketExample: example-sb
 - name: loadbalancer
   type: loadbalancer-template.jinja
   properties:
     bucketExample: $(ref.example-sb-backend.selfLink)
 - name: ipaddresses
   type: ipaddresses-template.jinja
 - name: httpproxies
   type: httpproxies-template.jinja
 - name: sslcertificates
   type: sslcertificates-template.jinja

    $ gcloud deployment-manager deployments create infrastructure --config=templates-bundle.yaml > output
    command output

     NAME                                   TYPE                             STATE      ERRORS  INTENT
 centralized-lb-http                    compute.v1.urlMap                COMPLETED  []
 centralized-lb-https                   compute.v1.urlMap                COMPLETED  []
 example                                compute.v1.sslCertificate        COMPLETED  []
 example-sb                             storage.v1.bucket                COMPLETED  []
 example-sb-backend                     compute.beta.backendBucket       COMPLETED  []
 lb-http-forwardingrule                 compute.v1.globalForwardingRule  COMPLETED  []
 lb-http-proxy                          compute.v1.targetHttpProxy       COMPLETED  []
 lb-https-forwardingrule                compute.v1.globalForwardingRule  COMPLETED  []
 lb-https-proxy                         compute.v1.targetHttpsProxy      COMPLETED  []
 lb-ipaddress                           compute.v1.globalAddress         COMPLETED  []
    Login or Signup to reply.
  5. 0

    If you use Terraform (highly recommend for GCP configuration), here’s a sample config. This code creates two IP addresses (v4 & v6) — which you would use in your https forwarding rules as well.

    // HTTP -> HTTPS redirector
resource "google_compute_url_map" "http-to-https" {
  name = "my-http-to-https"

  default_url_redirect {
    https_redirect         = true
    strip_query            = false
    redirect_response_code = "PERMANENT_REDIRECT"
  }
}

resource "google_compute_target_http_proxy" "proxy" {
  name    = "my-http-proxy"
  url_map = google_compute_url_map.http-to-https.self_link
}

resource "google_compute_global_forwarding_rule" "http-v4" {
  name       = "my-fwrule-http-v4"
  target     = google_compute_target_http_proxy.proxy.self_link
  ip_address = google_compute_global_address.IPv4.address
  port_range = "80"
}

resource "google_compute_global_forwarding_rule" "http-v6" {
  name       = "my-fwrule-http-v6"
  target     = google_compute_target_http_proxy.proxy.self_link
  ip_address = google_compute_global_address.IPv6.address
  port_range = "80"
}

resource "google_compute_global_address" "IPv4" {
  name = "my-ip-v4-address"
}

resource "google_compute_global_address" "IPv6" {
  name       = "my-ip-v6-address"
  ip_version = "IPV6"
}
    Login or Signup to reply.
  6. 0

    At a high level, to redirect HTTP traffic to HTTPS, you must do the following:

    1. Create HTTPS LB1 (called here web-map-https).
    2. Create HTTP LB2 (no backend) (called here web-map-http) with the same IP address used in LB1 and a redirect configured in the URL map.

    Please check:
    https://cloud.google.com/load-balancing/docs/https/setting-up-http-https-redirect

    Login or Signup to reply.
  7. 0

    Perhaps I’m late to the game but I use the following:

    [ingress.yaml]:

    apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: managed-cert-ingress
  annotations:
    kubernetes.io/ingress.global-static-ip-name: my-external-ip
    networking.gke.io/managed-certificates: my-google-managed-certs
    kubernetes.io/ingress.class: "gce"
    networking.gke.io/v1beta1.FrontendConfig: redirect-frontend-config
spec:
  defaultBackend:
    service:
      name: online-service
      port:
        number: 80

    [redirect-frontend-config.yaml]

    apiVersion: networking.gke.io/v1beta1
kind: FrontendConfig
metadata:
  name: redirect-frontend-config
spec:
  redirectToHttps:
    enabled: true

    I’m using the default "301 Moved Permanently", but if you’d like to use something else, just add a row under redirectToHttps containing

    responseCodeName: <CHOSEN REDIRECT RESPONSE CODE>

    MOVED_PERMANENTLY_DEFAULT to return a 301 redirect response code (default).

    FOUND to return a 302 redirect response code.

    SEE_OTHER to return a 303 redirect response code.

    TEMPORARY_REDIRECT to return a 307 redirect response code.

    PERMANENT_REDIRECT to return a 308 redirect response code.

    Further reading at
    https://cloud.google.com/kubernetes-engine/docs/how-to/ingress-features
    https://cloud.google.com/kubernetes-engine/docs/concepts/ingress

    Login or Signup to reply.
Please signup or login to give your own answer.

Back To Top
Search