Getting startedGuidesReferenceChangelog
Apoxy:// Docs / Guides / HTTP to HTTPS redirect

HTTP to HTTPS redirect

Redirect HTTP traffic to HTTPS using the default Gateway's listeners.

Redirecting HTTP to HTTPS is one of the first things you'll want to set up for a production domain. The default Gateway listens on both port 80 (HTTP) and port 443 (HTTPS), so you can set up redirects by attaching routes to specific listeners using sectionName.

Single domain

Add the redirect route

Create an HTTPRoute that matches the HTTP listener and redirects every request to HTTPS:

$redirect.yamlYAML
apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: http-to-https spec: parentRefs: - name: default sectionName: http hostnames: - app.example.com rules: - filters: - type: RequestRedirect requestRedirect: scheme: https statusCode: 301

The sectionName: http ensures this route only attaches to the HTTP listener. The redirect uses a 301 (permanent) status code so browsers cache it.

Add your application route on HTTPS

$app-route.yamlYAML
apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: app-route spec: parentRefs: - name: default sectionName: https hostnames: - app.example.com rules: - backendRefs: - kind: Backend name: app-backend port: 8080

Backends define the upstream services your routes forward to — see Routing traffic for setup details.

Apply everything:

$terminalSH
apoxy apply -f redirect.yaml -f app-route.yaml

Verify

$terminalSH
curl -I http://app.example.com/

You should see:

$terminalTXT
HTTP/1.1 301 Moved Permanently Location: https://app.example.com/

Wildcard subdomains

When you have many subdomains — api.example.com, dashboard.example.com, docs.example.com — you don't want a separate redirect for each one. Use a wildcard hostname instead.

Single redirect covering all subdomains

$wildcard-redirect.yamlYAML
apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: wildcard-http-to-https spec: parentRefs: - name: default sectionName: http hostnames: - "*.example.com" rules: - filters: - type: RequestRedirect requestRedirect: scheme: https statusCode: 301

One route, one rule — every subdomain that hits port 80 gets redirected to HTTPS.

Per-subdomain application routes

You can attach specific routes to the HTTPS listener by hostname:

$per-subdomain-routes.yamlYAML
apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: api-route spec: parentRefs: - name: default sectionName: https hostnames: - api.example.com rules: - backendRefs: - kind: Backend name: api-backend port: 8080 --- apiVersion: gateway.apoxy.dev/v1 kind: HTTPRoute metadata: name: dashboard-route spec: parentRefs: - name: default sectionName: https hostnames: - dashboard.example.com rules: - backendRefs: - kind: Backend name: dashboard-backend port: 3000

Each route matches a specific subdomain even though the default Gateway's HTTPS listener accepts all hostnames. The redirect route handles the HTTP→HTTPS bounce for all of them.

Key points

  • Use sectionName in parentRefs to target a specific listener. Without it, the route attaches to every compatible listener on the Gateway.
  • Use 301 for permanent redirects (browsers cache them) or 302 if you might revert later.
  • Wildcard hostnames in routes use *.domain.com syntax — they match one subdomain level.
  • Keep the redirect route and application routes as separate resources. This makes it easy to disable the redirect without touching application routing.