OCPBUGS-65482: Fix HAProxy redirect: strip port from Host header

[bentito]

Previously, when a route was configured with insecureEdgeTerminationPolicy: Redirect, HAProxy would preserve the port from the Host header in the redirect Location. This caused clients to attempt HTTPS connections on port 80 (e.g., https://example.com:80) if the original request included the port.

This commit updates the HAProxy template to explicitly strip any port number from the Host header using 'regsub(:[0-9]+$,,)' before constructing the redirect URL. This ensures redirects always go to the default HTTPS port (443).

A regression test 'Secure Redirect Strips Port' has been added to pkg/router/router_test.go to verify this configuration generation.

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-65482, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Previously, when a route was configured with insecureEdgeTerminationPolicy: Redirect, HAProxy would preserve the port from the Host header in the redirect Location. This caused clients to attempt HTTPS connections on port 80 (e.g., https://example.com:80) if the original request included the port.

This commit updates the HAProxy template to explicitly strip any port number from the Host header using 'regsub(:[0-9]+$,,)' before constructing the redirect URL. This ensures redirects always go to the default HTTPS port (443).

A regression test 'Secure Redirect Strips Port' has been added to pkg/router/router_test.go to verify this configuration generation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bentito]

/jira refresh

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-65482, which is invalid:

• expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[bentito]

/jira refresh

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-65482, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state ASSIGNED, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ShudiLi]

reproduced it with 4.21.0-0.nightly-2025-11-22-193140 and verified it with 4.21.0-0-2025-12-02-060314-test-ci-ln-sikxch2-latest

Reproduced:

1.
% oc get clusterversion
NAME      VERSION                              AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0.nightly-2025-11-22-193140   True        False         5h2m    Cluster version is 4.21.0-0.nightly-2025-11-22-193140

2.
% oc -n test get route
NAME          HOST/PORT                                                         PATH   SERVICES      PORT          TERMINATION     WILDCARD
edge1         edge1-test.apps.shudi-421bm02.qe.devcluster.openshift.com                unsec-apach   unsec-apach   edge/Redirect   None

3.
% curl -L -H "Host: edge1-test.apps.shudi-421bm02.qe.devcluster.openshift.com:80" http://edge1-test.apps.shudi-421bm02.qe.devcluster.openshift.com:80/ -k
curl: (35) LibreSSL/3.3.6: error:1404B42E:SSL routines:ST_CONNECT:tlsv1 alert protocol version

Verified:

1.
% oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0-2025-12-02-060314-test-ci-ln-sikxch2-latest   True        False         27m     Cluster version is 4.21.0-0-2025-12-02-060314-test-ci-ln-sikxch2-latest

2.
% oc -n test get route
NAME          HOST/PORT                                                                     PATH   SERVICES      PORT          TERMINATION     WILDCARD
edge1         edge1-test.apps.ci-ln-sikxch2-72292.origin-ci-int-gce.dev.rhcloud.com                unsec-apach   unsec-apach   edge/Redirect   None

3.
% curl -L -H "Host: edge1-test.apps.ci-ln-sikxch2-72292.origin-ci-int-gce.dev.rhcloud.com:80" http://edge1-test.apps.ci-ln-sikxch2-72292.origin-ci-int-gce.dev.rhcloud.com:80/ -k
It is a test!

[ShudiLi]

/label qe-approved
/verified by @ShudiLi

[openshift-ci-robot]

@bentito: This pull request references Jira Issue OCPBUGS-65482, which is valid.

3 validation(s) were run on this bug

• bug is open, matching expected state (open)
• bug target version (4.21.0) matches configured target version for branch (4.21.0)
• bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @ShudiLi

Details

In response to this:

Previously, when a route was configured with insecureEdgeTerminationPolicy: Redirect, HAProxy would preserve the port from the Host header in the redirect Location. This caused clients to attempt HTTPS connections on port 80 (e.g., https://example.com:80) if the original request included the port.

This commit updates the HAProxy template to explicitly strip any port number from the Host header using 'regsub(:[0-9]+$,,)' before constructing the redirect URL. This ensures redirects always go to the default HTTPS port (443).

A regression test 'Secure Redirect Strips Port' has been added to pkg/router/router_test.go to verify this configuration generation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci-robot]

@ShudiLi: This PR has been marked as verified by @ShudiLi.

Details

In response to this:

/label qe-approved
/verified by @ShudiLi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[alebedev87]

First glance.

[alebedev87]

/assign

[alebedev87]

As discussed in Slack, we would need an e2e test for this change. Unfortunately it can't be done in this repository as we host them in openshift/cluster-ingress-operator. However the test scenarios for this change should not be complex.

[alebedev87]

/assign @Thealisyed

[ShudiLi]

Tested it again and saw the 302 redirect message

1.
% oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.21.0-0-2025-12-09-013709-test-ci-ln-qhf3fg2-latest   True        False         26m     Cluster version is 4.21.0-0-2025-12-09-013709-test-ci-ln-qhf3fg2-latest

2.
 % oc -n test get route                                                                           
NAME          HOST/PORT                                                          PATH   SERVICES      PORT          TERMINATION     WILDCARD
edge1         edge1-test.apps.ci-ln-qhf3fg2-72292.gcp-2.ci.openshift.org                unsec-apach   unsec-apach   edge/Redirect   None

3.
sh-4.4# curl -L -H "Host: edge1-test.apps.ci-ln-qhf3fg2-72292.gcp-2.ci.openshift.org:80" http://edge1-test.apps.ci-ln-qhf3fg2-72292.gcp-2.ci.openshift.org:80 -k
It is a test!

4.
sh-4.4# tcpdump -i any tcp  -s 0 -n
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes
03:06:49.042427 IP 10.128.2.23.47076 > 35.222.177.125.http: Flags [S], seq 137246821, win 64680, options [mss 1320,sackOK,TS val 3691157104 ecr 0,nop,wscale 7], length 0
03:06:49.046854 IP 35.222.177.125.http > 10.128.2.23.47076: Flags [S.], seq 2874001464, ack 137246822, win 65400, options [mss 1320,sackOK,TS val 3046584714 ecr 3691157104,nop,wscale 7], length 0
03:06:49.046929 IP 10.128.2.23.47076 > 35.222.177.125.http: Flags [.], ack 1, win 506, options [nop,nop,TS val 3691157109 ecr 3046584714], length 0
03:06:49.046994 IP 10.128.2.23.47076 > 35.222.177.125.http: Flags [P.], seq 1:126, ack 1, win 506, options [nop,nop,TS val 3691157109 ecr 3046584714], length 125: HTTP: GET / HTTP/1.1
03:06:49.049278 IP 35.222.177.125.http > 10.128.2.23.47076: Flags [P.], seq 1:146, ack 126, win 510, options [nop,nop,TS val 3046584717 ecr 3691157109], length 145: HTTP: HTTP/1.1 302 Found

[ShudiLi]

tested it with 4.22.0-0-2026-01-07-063944-test-ci-ln-zm9prst-latest

1.
% oc get clusterversion
NAME      VERSION                                                AVAILABLE   PROGRESSING   SINCE   STATUS
version   4.22.0-0-2026-01-07-063944-test-ci-ln-zm9prst-latest   True        False         28m     Cluster version is 4.22.0-0-2026-01-07-063944-test-ci-ln-zm9prst-latest

2.
% oc -n test get route
NAME          HOST/PORT                                                          PATH   SERVICES      PORT          TERMINATION     WILDCARD
edge1         edge1-test.apps.ci-ln-zm9prst-72292.gcp-2.ci.openshift.org                unsec-apach   unsec-apach   edge/Redirect   None

3. let a client pod send the http request
sh-4.4# curl -H "Host: edge1-test.apps.ci-ln-zm9prst-72292.gcp-2.ci.openshift.org:80" http://edge1-test.apps.ci-ln-zm9prst-72292.gcp-2.ci.openshift.org/path1/a1.html?name=shudi -kL
a11

4. Check the captured packets on the server pod
sh-4.4# tcpdump -i any tcp -s 0 -n
dropped privs to tcpdump
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on any, link-type LINUX_SLL (Linux cooked v1), capture size 262144 bytes

07:53:21.525104 IP 10.131.0.7.60676 > 10.129.2.11.webcache: Flags [S], seq 2214922534, win 64680, options [mss 1320,sackOK,TS val 1387636772 ecr 0,nop,wscale 7], length 0
07:53:21.525167 IP 10.129.2.11.webcache > 10.131.0.7.60676: Flags [S.], seq 3110584898, ack 2214922535, win 65400, options [mss 1320,sackOK,TS val 1913641244 ecr 1387636772,nop,wscale 7], length 0
07:53:21.527107 IP 10.131.0.7.60676 > 10.129.2.11.webcache: Flags [.], ack 1, win 506, options [nop,nop,TS val 1387636775 ecr 1913641244], length 0
07:53:21.527157 IP 10.131.0.7.60676 > 10.129.2.11.webcache: Flags [P.], seq 1:417, ack 1, win 506, options [nop,nop,TS val 1387636775 ecr 1913641244], length 416: HTTP: GET /path1/a1.html?name=shudi HTTP/1.1
07:53:21.527212 IP 10.129.2.11.webcache > 10.131.0.7.60676: Flags [.], ack 417, win 508, options [nop,nop,TS val 1913641246 ecr 1387636775], length 0
07:53:21.527854 IP 10.129.2.11.webcache > 10.131.0.7.60676: Flags [P.], seq 1:295, ack 417, win 508, options [nop,nop,TS val 1913641247 ecr 1387636775], length 294: HTTP: HTTP/1.1 200 OK
07:53:21.528772 IP 10.131.0.7.60676 > 10.129.2.11.webcache: Flags [.], ack 295, win 504, options [nop,nop,TS val 1387636777 ecr 1913641247], length 0
^C

[ShudiLi]

/verified by @ShudiLi

[openshift-ci-robot]

@ShudiLi: This PR has been marked as verified by @ShudiLi.

Details

In response to this:

/verified by @ShudiLi

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[ShudiLi]

/test okd-scos-images

[alebedev87]

/lgtm
/approve

[alebedev87]

/verified by @ShudiLi

Just a squash of commits, retagging..

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: alebedev87

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [alebedev87]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@alebedev87: This PR has been marked as verified by @ShudiLi.

Details

In response to this:

/verified by @ShudiLi

Just a squash of commits, retagging..

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

@bentito: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[openshift-ci-robot]

@bentito: Jira Issue OCPBUGS-65482: Some pull requests linked via external trackers have merged:

• openshift/router#696

The following pull request, linked via external tracker, has not merged:

• openshift/cluster-ingress-operator#1316 is open

All associated pull requests must be merged or unlinked from the Jira bug in order for it to move to the next state. Once unlinked, request a bug refresh with /jira refresh.

Jira Issue OCPBUGS-65482 has not been moved to the MODIFIED state.

This PR is marked as verified. If the remaining PRs listed above are marked as verified before merging, the issue will automatically be moved to VERIFIED after all of the changes from the PRs are available in an accepted nightly payload.

Details

In response to this:

Previously, when a route was configured with insecureEdgeTerminationPolicy: Redirect, HAProxy would preserve the port from the Host header in the redirect Location. This caused clients to attempt HTTPS connections on port 80 (e.g., https://example.com:80) if the original request included the port.

This commit updates the HAProxy template to explicitly strip any port number from the Host header using 'regsub(:[0-9]+$,,)' before constructing the redirect URL. This ensures redirects always go to the default HTTPS port (443).

A regression test 'Secure Redirect Strips Port' has been added to pkg/router/router_test.go to verify this configuration generation.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.