2 min • read

Cleartext support

While most modern web applications choose to encrypt all traffic, there remain cases where supporting cleartext communications is important. Emissary-ingress supports both forcing automatic redirection to HTTPS and serving cleartext traffic on a Host.

The Listener andHost CRDs work together to manage HTTP and HTTPS routing. This document is meant as a quick reference to the Host resource: for a more complete treatment of handling cleartext and HTTPS, see Configuring Emissary-ingress Communications.

Cleartext Routing

To allow cleartext to be routed, set the requestPolicy.insecure.action of a Host to Route:

requestPolicy:
  insecure:
    action: Redirect

This allows routing for either HTTP and HTTPS, or only HTTP, depending on tlsSecret configuration:

If the Host does not specify a tlsSecret, it will only route HTTP, not terminating TLS at all.
If the Host does specify a tlsSecret, it will route both HTTP and HTTPS.

HTTP->HTTPS redirection

Most websites that force HTTPS will also automatically redirect any requests that come into it over HTTP:

Client              Emissary-ingress
|                             |
| http://<hostname>/api       |
| --------------------------> |
|                             |
| 301: https://<hostname>/api |
| <-------------------------- |
|                             |
| https://<hostname>/api      |
| --------------------------> |
|                             |

In Emissary-ingress, this is configured by setting the insecure.action in a Host to Redirect.

requestPolicy:
  insecure:
    action: Redirect

Emissary-ingress determines which requests are secure and which are insecure using the securityModel of the Listener that accepts the request.

ON THIS PAGE

Cleartext Routing
HTTP->HTTPS redirection