2 min • read

Cleartext support

While most modern web applications choose to encrypt all traffic, there remain cases where supporting cleartext communications is important. Emissary-ingress supports both forcing automatic redirection to HTTPS and serving cleartext traffic on a Host.

Cleartext Routing

To allow cleartext to be routed, set the requestPolicy.insecure.action of a Host to Route:

yaml
requestPolicy:
insecure:
action: Redirect

This allows routing for either HTTP and HTTPS, or only HTTP, depending on tlsSecret configuration:

  • If the Host does not specify a tlsSecret, it will only route HTTP, not terminating TLS at all.
  • If the Host does specify a tlsSecret, it will route both HTTP and HTTPS.

HTTP->HTTPS redirection

Most websites that force HTTPS will also automatically redirect any requests that come into it over HTTP:

shell
Client Emissary-ingress
| |
| http://<hostname>/api |
| --------------------------> |
| |
| 301: https://<hostname>/api |
| <-------------------------- |
| |
| https://<hostname>/api |
| --------------------------> |
| |

In Emissary-ingress, this is configured by setting the insecure.action in a Host to Redirect.

yaml
requestPolicy:
insecure:
action: Redirect

Emissary-ingress determines which requests are secure and which are insecure using the securityModel of the Listener that accepts the request.