Apoxy
Getting StartedGuidesReferenceChangelog

HTTP to HTTPS redirect

Redirect HTTP traffic to HTTPS using the default Gateway's listeners.

Redirecting HTTP to HTTPS is one of the first things you'll want to set up for a production domain. The default Gateway listens on both port 80 (HTTP) and port 443 (HTTPS), so you can set up redirects by attaching routes to specific listeners using sectionName.

Single domain

Add the redirect route

Create an HTTPRoute that matches the HTTP listener and redirects every request to HTTPS:

apiVersion: gateway.apoxy.dev/v1
kind: HTTPRoute
metadata:
  name: http-to-https
spec:
  parentRefs:
  - name: default
    sectionName: http
  hostnames:
  - app.example.com
  rules:
  - filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        statusCode: 301

The sectionName: http ensures this route only attaches to the HTTP listener. The redirect uses a 301 (permanent) status code so browsers cache it.

Add your application route on HTTPS

apiVersion: gateway.apoxy.dev/v1
kind: HTTPRoute
metadata:
  name: app-route
spec:
  parentRefs:
  - name: default
    sectionName: https
  hostnames:
  - app.example.com
  rules:
  - backendRefs:
    - kind: Backend
      name: app-backend
      port: 8080

Backends define the upstream services your routes forward to — see Routing traffic for setup details.

Apply everything:

apoxy apply -f redirect.yaml -f app-route.yaml

Verify

curl -I http://app.example.com/

You should see:

HTTP/1.1 301 Moved Permanently
Location: https://app.example.com/

Wildcard subdomains

When you have many subdomains — api.example.com, dashboard.example.com, docs.example.com — you don't want a separate redirect for each one. Use a wildcard hostname instead.

Single redirect covering all subdomains

apiVersion: gateway.apoxy.dev/v1
kind: HTTPRoute
metadata:
  name: wildcard-http-to-https
spec:
  parentRefs:
  - name: default
    sectionName: http
  hostnames:
  - "*.example.com"
  rules:
  - filters:
    - type: RequestRedirect
      requestRedirect:
        scheme: https
        statusCode: 301

One route, one rule — every subdomain that hits port 80 gets redirected to HTTPS.

Per-subdomain application routes

You can attach specific routes to the HTTPS listener by hostname:

apiVersion: gateway.apoxy.dev/v1
kind: HTTPRoute
metadata:
  name: api-route
spec:
  parentRefs:
  - name: default
    sectionName: https
  hostnames:
  - api.example.com
  rules:
  - backendRefs:
    - kind: Backend
      name: api-backend
      port: 8080

---
apiVersion: gateway.apoxy.dev/v1
kind: HTTPRoute
metadata:
  name: dashboard-route
spec:
  parentRefs:
  - name: default
    sectionName: https
  hostnames:
  - dashboard.example.com
  rules:
  - backendRefs:
    - kind: Backend
      name: dashboard-backend
      port: 3000

Each route matches a specific subdomain even though the default Gateway's HTTPS listener accepts all hostnames. The redirect route handles the HTTP→HTTPS bounce for all of them.

Key points

  • Use sectionName in parentRefs to target a specific listener. Without it, the route attaches to every compatible listener on the Gateway.
  • Use 301 for permanent redirects (browsers cache them) or 302 if you might revert later.
  • Wildcard hostnames in routes use *.domain.com syntax — they match one subdomain level.
  • Keep the redirect route and application routes as separate resources. This makes it easy to disable the redirect without touching application routing.

Routing traffic

Attach routes to the default Gateway and verify traffic flow using the Gateway API.

Response compression

Compress HTTP responses with gzip, brotli, or zstd — enabled by default, customizable via HTTPRouteFilter.

On this page

Single domainAdd the redirect routeAdd your application route on HTTPSVerifyWildcard subdomainsSingle redirect covering all subdomainsPer-subdomain application routesKey points