Alter path in web request

bogorad · October 1, 2023, 1:49pm

Using Traefik v2.

From the internet, I'm requesting curl -i https://aaa.mysite.com/1/bbb/ccc. I have a local Whoami server running at whoami.corp. I want the request to go to http://whoami.corp/users/1/bbb/ccc, so I need to rewrite the path. With Nginx, it's trivial, but Traefik gives me grief.

Tried this config, but it returns 301, which is pointless since the modified URL is inaccessible from outside.

http:
  routers:
    rss:
      entryPoints:
        - "https"
      rule: "(Host (`aaa.mysite.com`))"
      middlewares:
        - "mw_rss_replace_path"
      service: rss

  middlewares:
    mw_rss_replace_path:
      replacePathRegex:
        regex: "(.*)"
        replacement: "/users/${1}"

  services:
    rss:
      loadBalancer:
        servers:
          - url: "http://whoami.corp"
        passHostHeader: true

What is the appropriate method?

bluepuma77 · October 1, 2023, 5:39pm

Wrong template variable format? (Doc)

# Replace path with regex
http:
  middlewares:
    test-replacepathregex:
      replacePathRegex:
        regex: "^/foo/(.*)"
        replacement: "/bar/$1"

bogorad · October 1, 2023, 5:42pm

Tried that as well, no change—both ${1} and $1 work the same way. The location header in the 301 response shows the correct string:

HTTP/2 301
content-type: text/html; charset=utf-8
date: Sun, 01 Oct 2023 17:43:15 GMT
location: /users/1/aaa/bbb

bluepuma77 · October 1, 2023, 6:26pm

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

bogorad · October 2, 2023, 11:50am

static:

  traefik:
    image: traefik
    container_name: traefik
    restart: always
    command:
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false
# Dashboard
      - --entryPoints.traefik.address=:8080
# Spice
      - --entryPoints.spice.address=:3128
# web/http
      - --entryPoints.http.address=:80/tcp
      - --entrypoints.http.http.redirections.entryPoint.to=https
# secure/https
      - --entryPoints.https.address=:443
      - --entryPoints.https.http.tls=true
      - --entryPoints.https.http.tls.certResolver=route53
#
      - --api=true
      - --api.insecure=true
      - --api.dashboard=true
#
      - --accessLog=true
      - --accessLog.filePath=/logs/tr-access.log
      - --accessLog.bufferingSize=100 # Configuring a buffer of 100 lines
      - --accesslog.fields.names.StartUTC=drop
#
      - --log.filePath=/logs/tr-error.log
      - --log.level=Info
#
      - --providers.docker
      - --providers.docker.exposedbydefault=false
      - --providers.file.directory=/config/providers
#
      - --certificatesresolvers.route53.acme.email=*********@gmail.com
      - --certificatesresolvers.route53.acme.storage=/config/*********.****.json
# Production:
      - --certificatesresolvers.route53.acme.caserver=https://acme-v02.api.letsencrypt.org/directory
# Staging:
#      - --certificatesresolvers.route53.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory
      - --certificatesresolvers.route53.acme.keytype=RSA4096
      - --certificatesresolvers.route53.acme.dnschallenge=true
      - --certificatesresolvers.route53.acme.dnschallenge.provider=route53
      - --certificatesresolvers.route53.acme.dnschallenge.delayBeforeCheck=0
      - --certificatesresolvers.route53.acme.dnschallenge.resolvers=1.0.0.1:53,8.8.8.8:53,9.9.9.9:53
#
      - --serversTransport.insecureSkipVerify=true
    # ldapAuth Options=================================================================
      - --experimental.plugins.ldapAuth.modulename=github.com/wiltonsr/ldapAuth
      - --experimental.plugins.ldapAuth.version=v0.1.4
    # =================================================================================

    environment:
      - TZ=Europe/Madrid
      - AWS_ACCESS_KEY_ID=${AWS_Access_Key_ID}
      - AWS_SECRET_ACCESS_KEY=${AWS_Secret_Access_Key}
      - AWS_HOSTED_ZONE_ID=${AWS_Hosted_Zone_ID}
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./traefik:/config
      - /ssd/tmp:/logs
    networks:
      default:
        ipv4_address: 10.70.70.200
    dns: "192.168.11.1"

No dynamic config, just some providers as described above.

bluepuma77 · October 2, 2023, 3:41pm

Your config file with http is actually dynamic config - vs the static config like entrypoints.

I would recommend to use a dedicated Docker network, we recently had long troubleshooting when using default. (Post)

You shared you docker-compose.yml. Where are the Traefik ports exposed?

bogorad · October 2, 2023, 4:44pm

Traefik is running under docker, which runs as a service under OpenWRT on an ARM64 router. Port 443 from WAN is redirected to the address of this Traefik instance (10.70.70.200).

In docker, it's a MACVLAN network, so all ports of each container are exposed. The fact that the network is labeled default is irrelevant in this case.

networks:
  default:
    driver: macvlan
    driver_opts:
      parent: eth2.70
    ipam:
      config:
        - subnet:   10.70.70.0/24
          gateway:  10.70.70.1

Traefik has been working great for over a year already. I have multiple providers, and everything is working as expected except for this. Some services are on the same machine (some inside docker, some outside), while other services are on other machines inside my LAN.