Replies: 2 comments
-
|
Closing this discussion as I was able to resolve the Issue |
Beta Was this translation helpful? Give feedback.
-
|
The root cause is require_tls: all on the virtual host combined with NGINX not forwarding the correct scheme header to Envoy. What require_tls: all does When a virtual host has This happens even if the physical connection between NGINX and Envoy is over TLS. Envoy doesn't inspect the socket's TLS state for this decision — it trusts the headers. Why it works when called directly from the NGINX pod When you call Envoy directly from inside the cluster, the request arrives with a proper TLS handshake and Envoy's downstream TLS listener sets :scheme: https internally. No NGINX is involved, so no header stripping occurs. When NGINX proxies the request, it may:
The fix Tell NGINX to forward the correct proto header: Envoy will then see Alternatively, if you don't need the redirect enforcement and just want mutual TLS between NGINX and Envoy, remove require_tls: all from the virtual host — the downstream TLS listener already enforces the TLS handshake. Confirming the exact trigger Use Envoy's access log If |
Beta Was this translation helpful? Give feedback.
Uh oh!
There was an error while loading. Please reload this page.
-
Hi Envoy Community,
We're investigating an issue where Envoy returns an HTTP 301 response for a POST request before any upstream routing attempt is made.
Environment
17600Relevant configuration:
Virtual host:
Envoy Logs
Observations
Additional Information
When calling the Envoy service directly from the nginx pod, Envoy successfully processes the request and routes it upstream, which suggests that routing and cluster resolution are generally functioning.
Questions
require_tls: allgenerate a redirect even when the original client request is HTTPS?Any guidance would be appreciated.
Beta Was this translation helpful? Give feedback.
All reactions