Cloud Run http to https redirection

0
votes

On this page it says

Cloud Run (fully managed) redirects all HTTP requests to HTTPS but terminates TLS before they reach your web service.

terminates TLS before they reach the web service I don't quite understand what it means. The web service means the web application in the container?

I deploy a cloud run, set up a load balancer with serverless NEG.

http://example.comreturns a 404.
https://example.com returns a 200.

At which point does the redirection begin? It doesn't redirect automatically.

I only manage to redirect it at the application level.

How does cloud run redirection work?

2
google-cloud-platformhttpsload-balancinghttp-redirectgoogle-cloud-run
The Google Cloud Frontend (GFE) handles HTTP -> HTTPS redirection. The communication from the GFE to your instance is over HTTP (default is port 8080) so that your service does not require SSL configured. The GFE proxies the connections (client <-HTTPS-> GFE <-HTTP-> your_service).John Hanley
Thanks @JohnHanley Now it makes so much sense!PlainH2O
Incidentally, I found there is a slight delay when changing the domain where a 404 presents unexpectedly for http traffic and doesn't redirect (and the service is available over https). This resolved after some timespan that I don't recall, maybe an hour. After that http redirects to https as-desired when using cloud run as part of the default feature set.jimmont

2 Answers

1
votes

Cloud Run has its own load balancer. So, when you call your service you have

Sender -----> Cloud Run LB -----> Container instance

If you send a HTTP request to Cloud Run LB, you are redirected to a HTTPS.

In your context you use an additional layer: external HTTPS load balancer (also known as GCLB), and you have this chain

Sender ------> GCLB -----> Cloud Run LB -----> Container instance

You get a 404 in HTTP because GCLB isn't configured to perform redirect. More than that, your GCLB only listen on the 443 port (frontend configuration) and you haven't the port 80 open.

You can update it by following this documentation. At the end, it's not a Cloud Run issue, only a load balancer issue.

0
votes

According to document [1] on "Invoking with an HTTPS Request"; the full managed Cloud Run(CR) redirects all HTTP request to HTTPS but terminates TLS before it reaches your web service.

If your service generates a web resources that refers to other web resources with unsecured URLs (http://), your page may be subject to "mixed content warnings or errors [2]".

I tried to reproduce your issue using Quickstart: Build and Deploy [3] but I was unable to, as my URL shows HTTPS.

Does your service generate web resources that refers to other web resources with unsecured URLs?

[1] https://cloud.google.com/run/docs/triggering/https-request

[2] https://web.dev/what-is-mixed-content/

[3] https://cloud.google.com/run/docs/quickstarts#build-and-deploy