Entrypoints and Middleware placement?

chupacabra · January 2, 2025, 11:08pm

Possibly a dumb question... if I am doing a redirect at the entrypoint and i also want middleware applied (for example IPAllowList and some security middlewares), do i have to add them to all the entrypoints or is it sufficient to just add it at the one that handles the redirects?

So, like this at a single entry point...

entryPoints:
# internal HTTPS handler - process all requests as HTTPS 
  websecure:
    address: ':443'
    asDefault: true
    forwardedHeaders:
      trustedIPs:
       - 10.10.10.5
    http:
      middlewares:
        - global-chain_geo-block-crowdsec
      tls:
        certResolver: cloudflare
        domains:
          - main: "my.tld"
            sans:
              - "*.my.tld"

# internal HTTP handler - forward everything to HTTPS
  web:
    address: ':80'
    forwardedHeaders:
      trustedIPs:
        - 0.0.0.0/0      # forward headers from anyone, had trouble forwarding just for proxy
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https

OR
Like this at all entrypoints?

entryPoints:
# internal HTTPS handler - process all requests as HTTPS 
  websecure:
    address: ':443'
    asDefault: true
    forwardedHeaders:
      trustedIPs:
       - 10.10.10.5
    http:
      middlewares:
        - global-chain_geo-block-crowdsec
      tls:
        certResolver: cloudflare
        domains:
          - main: "my.tld"
            sans:
              - "*.my.tld"

# internal HTTP handler - forward everything to HTTPS
  web:
    address: ':80'
    forwardedHeaders:
      trustedIPs:
        - 0.0.0.0/0      # forward headers from anyone, had trouble forwarding just for proxy
    http:
      middlewares:
        - global-chain_geo-block-crowdsec
      redirections:
        entryPoint:
          to: websecure
          scheme: https

bluepuma77 · January 3, 2025, 7:30am

Good question, in general it shouldn’t matter. If the http entrypoint only redirects to https, there should be no real difference.

But there are potential threat scenarios where it might help to block a request on http, not redirect to https, because TLS is more CPU intensive.

On the other side, if someone really wants to bring down your service, they might always use https anyway.

We use security on https only, keep http lean, only redirect to https.

system · January 6, 2025, 7:31am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
A global http -> https redirection? Traefik v2	12	35975	August 17, 2020
Middlewares on all routers but one Traefik v2 middleware	2	1411	May 5, 2020
What is the correct way to redirect from http->https when interfacing with Cloudflare Tunnels + Docker? Traefik v3 (latest) docker-swarm , letsencrypt-acme	2	54	January 6, 2025
Entrypoint with middlewares not working Traefik v2 middleware	4	2121	May 17, 2021
redirectScheme set on route but not forcing scheme Traefik v2 rancher , middleware	4	1292	April 22, 2020

Entrypoints and Middleware placement?

Related topics