For the complete documentation index, see llms.txt. Markdown versions of all docs pages are available by appending .md to any docs URL.
Internal redirects
Configure the gateway proxy to follow upstream HTTP redirect responses (3xx) on behalf of the client. Instead of returning the redirect to the client, the proxy resolves it internally and returns only the final response.
About internal redirects
By default, when an upstream backend returns a 3xx redirect response, the gateway forwards it to the client and the client must follow the redirect itself. With internal redirects enabled, the gateway proxy reads the Location header from the upstream’s redirect response and sends a new request to that URL on behalf of the client. The client receives only the final response and never sees the intermediate redirect.
Internal redirects are configured in the TrafficPolicy resource. The following configuration options are available.
| Field | Type | Default | Description |
|---|---|---|---|
redirectResponseCodes | []integer | [302] | HTTP response codes that trigger an internal redirect. Valid values: 301, 302, 303, 307, 308. Specify 1–5 unique codes. |
maxRedirects | integer | 1 | Maximum number of internal redirects to follow for a single downstream request. |
allowCrossSchemeRedirect | boolean | false | Allow the gateway to follow redirects that change the scheme, for example HTTP to HTTPS. |
responseHeadersToCopy | []string | — | Response headers from the redirect response to copy to the outgoing redirected request. Specify 1–16 unique header names. |
Note
The redirect target URL in the upstream’s Location header must be an absolute URL, such as http://www.example.com/anything/redirected. Relative location headers, such as /get are not followed. The redirect target must also match a route in the gateway’s route table.
Note
Internal redirects apply only to routes that forward traffic to a backend. They have no effect on routes that use a redirect or direct response filter.
Before you begin
-
Follow the Get started guide to install kgateway.
-
Follow the Sample app guide to create a gateway proxy with an HTTP listener and deploy the httpbin sample app.
-
Get the external address of the gateway and save it in an environment variable.
export INGRESS_GW_ADDRESS=$(kubectl get svc -n kgateway-system http -o jsonpath="{.status.loadBalancer.ingress[0]['hostname','ip']}") echo $INGRESS_GW_ADDRESS
Follow upstream redirects
Use a TrafficPolicy to configure internal redirect behavior for an HTTPRoute.
-
Send a request to the
/redirect-topath of the httpbin app. Use theurlquery parameter to specify an absolute redirect target on the same host, andstatus_codeto set the redirect response code. Verify that you get back a 302 HTTP response with alocationheader that points to the redirect target.curl -vi "http://$INGRESS_GW_ADDRESS:8080/redirect-to?url=http://www.example.com/anything/redirected&status_code=302" -H "host: www.example.com"Example output:
* Request completely sent off < HTTP/1.1 302 Found HTTP/1.1 302 Found < access-control-allow-credentials: true access-control-allow-credentials: true < access-control-allow-origin: * access-control-allow-origin: * < location: http://www.example.com/anything/redirected location: http://www.example.com/anything/redirected ... -
Create the TrafficPolicy that follows 302 redirects from the upstream. The policy targets the
httpbinHTTPRoute that you set up as part of the prerequisites.kubectl apply -f- <<EOF apiVersion: gateway.kgateway.dev/v1alpha1 kind: TrafficPolicy metadata: name: internal-redirect namespace: httpbin spec: targetRefs: - group: gateway.networking.k8s.io kind: HTTPRoute name: httpbin internalRedirect: {} EOFReview the following table to understand this configuration. For more information, see the API docs.
Field Description targetRefsThe policy targets the httpbinHTTPRoute resource that you created as part of the prerequisites.internalRedirectEnables internal redirect with default settings (follow 302responses, maximum 1 redirect). -
Repeat the request. Verify that the gateway now follows the redirect on your behalf and returns a 200 HTTP response with the body from the
/anything/redirectedredirect path.curl -vi "http://$INGRESS_GW_ADDRESS:8080/redirect-to?url=http://www.example.com/anything/redirected&status_code=302" -H "host: www.example.com"Example output:
HTTP/1.1 200 OK ... { "method": "GET", "url": "http://www.example.com/anything/redirected", ... }
Configure redirect options
The following example configures the gateway to follow 302 and 303 redirects, copy the access-control-allow-credentials header from the redirect response to the follow-up request, and allow a maximum of 3 consecutive redirects.
-
Update the TrafficPolicy resource with additional redirect options.
kubectl apply -f- <<EOF apiVersion: gateway.kgateway.dev/v1alpha1 kind: TrafficPolicy metadata: name: internal-redirect namespace: httpbin spec: targetRefs: - group: gateway.networking.k8s.io kind: HTTPRoute name: httpbin internalRedirect: redirectResponseCodes: [302, 303] maxRedirects: 3 responseHeadersToCopy: - access-control-allow-credentials EOFField Description redirectResponseCodesThe gateway follows 302and303redirect responses from the upstream.maxRedirectsThe gateway follows up to 3 consecutive redirects per downstream request. If the chain exceeds this limit, the last redirect response is returned to the client. responseHeadersToCopyThe access-control-allow-credentialsheader from the redirect response is copied to the follow-up request sent to the redirect target. -
Send a request that triggers a
303redirect. Verify that the gateway follows it and returns a 200 response. Check theheaderssection in the response body and confirm thatAccess-Control-Allow-Credentialsis present, which proves it was copied from the redirect response to the follow-up request.curl -vi "http://$INGRESS_GW_ADDRESS:8080/redirect-to?url=http://www.example.com/anything/redirected&status_code=303" -H "host: www.example.com"Example output:
HTTP/1.1 200 OK ... { "headers": { "Access-Control-Allow-Credentials": [ "true" ], "Host": [ "www.example.com" ], ... "X-Envoy-Original-Url": [ "http://www.example.com/redirect-to?url=http://www.example.com/anything/redirected&status_code=303" ], ... }, "url": "http://www.example.com/anything/redirected", ... }
Cleanup
You can remove the resources that you created in this guide.kubectl delete TrafficPolicy internal-redirect -n httpbin