From 0e5d3ca9e9cb1fb7ab9b87a52c4122ec63e941a4 Mon Sep 17 00:00:00 2001 From: Ricardo Pchevuzinske Katz Date: Mon, 13 Mar 2017 12:03:47 -0300 Subject: [PATCH] Adds support for root redirection, and improves rewrite documentation --- controllers/nginx/configuration.md | 2 +- .../rootfs/etc/nginx/template/nginx.tmpl | 19 +++--- core/pkg/ingress/annotations/rewrite/main.go | 5 +- examples/rewrite/README.md | 61 +++++++++++++++++++ 4 files changed, 76 insertions(+), 11 deletions(-) diff --git a/controllers/nginx/configuration.md b/controllers/nginx/configuration.md index b637f196e..f27bde70a 100644 --- a/controllers/nginx/configuration.md +++ b/controllers/nginx/configuration.md @@ -177,7 +177,7 @@ If the application contains relative links it is possible to add an additional a If the Application Root is exposed in a different path and needs to be redirected, the annotation `ingress.kubernetes.io/app-root` might be used. -Please check the [rewrite](examples/rewrite/README.md) example. +Please check the [rewrite](/examples/rewrite/README.md) example. ### Rate limiting diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl index e1df8e137..0e9c1bad1 100644 --- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl +++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl @@ -236,9 +236,17 @@ http { ssl_verify_client on; ssl_verify_depth {{ $location.CertificateAuth.ValidationDepth }}; {{ end }} + + {{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }} + # enforce ssl on server side + if ($pass_access_scheme = http) { + return 301 https://$host$request_uri; + } + {{ end }} + {{ if not (empty $location.Redirect.AppRoot)}} - location = / { - return 302 ${{ location.Redirect.AppRoot }}; + if ($uri = /) { + return 302 {{ $location.Redirect.AppRoot }}; } {{ end }} {{ if not (empty $authPath) }} @@ -283,12 +291,7 @@ http { error_page 401 = {{ $location.ExternalAuth.SigninURL }}; {{ end }} - {{ if (or $location.Redirect.ForceSSLRedirect (and (not (empty $server.SSLCertificate)) $location.Redirect.SSLRedirect)) }} - # enforce ssl on server side - if ($pass_access_scheme = http) { - return 301 https://$host$request_uri; - } - {{ end }} + {{/* if the location contains a rate limit annotation, create one */}} {{ $limits := buildRateLimit $location }} {{ range $limit := $limits }} diff --git a/core/pkg/ingress/annotations/rewrite/main.go b/core/pkg/ingress/annotations/rewrite/main.go index c48573a74..e522a275a 100644 --- a/core/pkg/ingress/annotations/rewrite/main.go +++ b/core/pkg/ingress/annotations/rewrite/main.go @@ -41,8 +41,9 @@ type Redirect struct { // SSLRedirect indicates if the location section is accessible SSL only SSLRedirect bool `json:"sslRedirect"` // ForceSSLRedirect indicates if the location section is accessible SSL only - ForceSSLRedirect bool `json:"forceSSLRedirect"` - AppRoot string `json:"appRoot"` + ForceSSLRedirect bool `json:"forceSSLRedirect"` + // AppRoot defines the Application Root that the Controller must redirect if it's not in '/' context + AppRoot string `json:"appRoot"` } type rewrite struct { diff --git a/examples/rewrite/README.md b/examples/rewrite/README.md index a878d52ea..66d7bb038 100644 --- a/examples/rewrite/README.md +++ b/examples/rewrite/README.md @@ -1,3 +1,28 @@ +# Sticky Session + +This example demonstrates how to use the Rewrite annotations + +## Prerequisites + +You will need to make sure you Ingress targets exactly one Ingress +controller by specifying the [ingress.class annotation](/examples/PREREQUISITES.md#ingress-class), +and that you have an ingress controller [running](/examples/deployment) in your cluster. + +## Deployment + +Rewriting can be controlled using the following annotations: + +|Name|Description|Values| +| --- | --- | --- | +|ingress.kubernetes.io/rewrite-target|Target URI where the traffic must be redirected|string| +|ingress.kubernetes.io/add-base-url|indicates if is required to add a base tag in the head of the responses from the upstream servers|bool| +|ingress.kubernetes.io/ssl-redirect|Indicates if the location section is accessible SSL only (defaults to True when Ingress contains a Certificate)|bool| +|ingress.kubernetes.io/force-ssl-redirect|Forces the redirection to HTTPS even if the Ingress is not TLS Enabled|bool| +|ingress.kubernetes.io/app-root|Defines the Application Root that the Controller must redirect if it's not in '/' context|string| + +## Validation + +### Rewrite Target Create an Ingress rule with a rewrite annotation: ``` $ echo " @@ -64,3 +89,39 @@ BODY: -no body in request- ``` +### App Root + +Create an Ingress rule with a app-root annotation: +``` +$ echo " +apiVersion: extensions/v1beta1 +kind: Ingress +metadata: + annotations: + ingress.kubernetes.io/app-root: /app1 + name: approot + namespace: default +spec: + rules: + - host: approot.bar.com + http: + paths: + - backend: + serviceName: echoheaders + servicePort: 80 + path: / +" | kubectl create -f - +``` + +Check the rewrite is working + +``` +$ curl -I -k http://approot.bar.com/ +HTTP/1.1 302 Moved Temporarily +Server: nginx/1.11.10 +Date: Mon, 13 Mar 2017 14:57:15 GMT +Content-Type: text/html +Content-Length: 162 +Location: http://stickyingress.example.com/app1 +Connection: keep-alive +``` \ No newline at end of file