Redirect inbound http to https on the same port

Support
1

What happened?

Is there a way to redirect inbound http requests to https on the same non-standard port using Pomerium only (i.e. without the help of external proxy such as Nginx)?

For example, my routing is configured as follows:

routes:
  - from: https://verify.corp.domain.com:1234
    to: http://verify:8000

When accessing the url with http (http://verify.corp.domain.com:1234), I got 503 error.

I am aware that Nginx can redirect http to https on the same port using error_page directive. But I wonder if it is possible to achieve this using Pomerium only.

What did you see in the logs?

{"level":"debug","service":"envoy","name":"conn_handler","time":"2022-11-01T08:59:02Z","message":"[C10] new connection from 192.168.64.1:37024"}
{"level":"debug","service":"envoy","name":"connection","time":"2022-11-01T08:59:02Z","message":"[C10] remote address:192.168.64.1:37024,TLS error: 268435612:SSL routines:OPENSSL_internal:HTTP_REQUEST"}
{"level":"debug","service":"envoy","name":"connection","time":"2022-11-01T08:59:02Z","message":"[C10] closing socket: 0"}
{"level":"debug","service":"envoy","name":"conn_handler","time":"2022-11-01T08:59:02Z","message":"[C10] adding to cleanup list"}
2

Hey @tianze ,

We have a command called http redirect address which is what I think you are looking for.

If set, the HTTP Redirect Address specifies the host and port to redirect http to https traffic on. If unset, no redirect server is started.

3

Thanks for your reply~

However it seems that this command cannot redirect http to https on the same port. It needs to listen and bind to a http port, which cannot be the same as the https port:

{"level":"error","service":"envoy","name":"config","time":"2022-11-03T08:22:40Z","message":"listener \\'https-ingress\\' failed to bind or apply socket options: cannot bind \\'0.0.0.0:443\\': Address already in use"}

Nginx, on the other hand, is able to detect the http-request-on-https-port error (response code 497) and then redirect to https using the error_page derective as mentioned before.

4

correct, HTTP and HTTPS ports must be different.