Istio: How to redirect to HTTPS except for /.well-known/acme-challenge
Looking into the documentation:
- The HTTP-01 challenge can only be done on port 80. Allowing clients to specify arbitrary ports would make the challenge less secure, and so it is not allowed by the ACME standard.
As a workaround:
- Please consider using DNS-01 challenge:
a) it only makes sense to use DNS-01 challenges if your DNS provider has an API you can use to automate updates.
b) using this approach you should consider additional security risk as stated in the docs:
Pros:You can use this challenge to issue certificates containing wildcard domain names.It works well even if you have multiple web servers.
Cons:*Keeping API credentials on your web server is risky.Your DNS provider might not offer an API.Your DNS API may not provide information on propagation times.
As mentioned here:
In order to be automatic, though, the software that requests the certificate will also need to be able to modify the DNS records for that domain. In order to modify the DNS records, that software will also need to have access to the credentials for the DNS service (e.g. the login and password, or a cryptographic token), and those credentials will have to be stored wherever the automation takes place. In many cases, this means that if the machine handling the process gets compromised, so will the DNS credentials, and this is where the real danger lies.
- I would suggest also another approach to use some simple nginx pod which would redirect all http traffic to https.
There is a tutorial on medium with nginx configuration you might try to use.
apiVersion: v1kind: ConfigMapmetadata: name: nginx-configdata: nginx.conf: | server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; }---apiVersion: v1kind: Servicemetadata: name: redirect labels: app: redirectspec: ports: - port: 80 name: http selector: app: redirect---apiVersion: apps/v1kind: Deploymentmetadata: name: redirectspec: replicas: 1 selector: matchLabels: app: redirect template: metadata: labels: app: redirect spec: containers: - name: redirect image: nginx:stable resources: requests: cpu: "100m" imagePullPolicy: IfNotPresent ports: - containerPort: 80 volumeMounts: - mountPath: /etc/nginx/conf.d name: config volumes: - name: config configMap: name: nginx-config
Additionally you would have to change your virtual service to send all the traffic except prefix: /.well-known/acme-challenge
to nginx.
apiVersion: networking.istio.io/v1alpha3kind: VirtualServicemetadata: name: acme-solver namespace: istio-systemspec: hosts: - "*" gateways: - acme-gateway http: - name: "acmesolver" match: - uri: prefix: /.well-known/acme-challenge route: - destination: host: reviews.prod.svc.cluster.local port: number: 8089 - name: "nginx" route: - destination: host: nginx