Expand a single hostname to FQDN?


I've now got V2.2.4 rolling with ACME nicely, but have a question...
I can see the standard http -> https redirection via entrypoint, which is working, however any SSL cert relies on the FQDN.

Currently I'm using a pihole Docker container to provide DHCP to my LAN, and due to domain suffixes, any "single" hostname (i.e. 'pihole') will resolve, as it will expand out to 'pihole.my.domain.name'.

My domain is valid externally, and I'm using it with ACME dnsChallenge and I have certs, but if I open a browser and just type "hostname" it will try to load "http://hostname" by default.

Now, without SSL/redirect, this works fine - but if https redirect kicks in, the browser is sent to "https://hostname" - which then generates a security error as "hostname" does not match "hostname.my.domain.name".

I have created a file provider (toml file) in a directory and set it to be loaded by traefik.toml - and I can see my middleware rule:

    regex = "http://([^.]*)/.*"
    replacement = "https://$1.my.domain.name/"

but it doesn't seem to work if I attach it to an entrypoint?

Can this be done globally?
Ideally I'd like any http (insecure) single hostname to be expanded and forwarded up to the secure FQDN version.

What does "doesn't seem to work" mean? E.g. what are you expecting to observe and what are you observing instead?

My guess would be that the redirection kicks in before any middleware on the router has a chance too look at the request.

Generally the cert should match the url you are using, or you get the message that they should match, this is the whole point of the certs validation. This happens during the TLS handshake, so in any case it will be the first thing that happens. You can either have self-signed cert that you set up your browser to trust with the short name, or you do not use the short name.

I do not think you have any other options, and this is not because of traefik, it is impossible in principle.

In theory, a browser accessing an INSECURE URL (such as http://test on a LAN) can be redirected to any URL (via 302 etc)

The browser (still insecure at this point, with no cert) should then attempt to connect to the redirected URL, i.e. https://test.internal.network

At that point, the browser should do a TLS handshake and all should be well

Basically if I use single hostnames, I get a connection to traefix, which upsets the browser as the single hostname != the FQDN
If I key the whole FQDN, it works as expected as FQDN=SNI=cert

I would like a single (insecure) hostname (which IS being picked up/answered by traefik) to be "redirected" to an expanded (secure) FQDN

Flow would be something like:

  1. Browser -> single hostname via web (insecure) entrypoint
  2. HostRegexp detects no period (.) char and issues a redirect to the https:// fqdn url for the browser
  3. Browser -> FQDN hostname via websecure entrypoint
  4. All is good

Hi @ptruman

To do what you want you will need an http router + middleware to do the rediect. You will have to disable the entryPoint https redirection.

I would make the regex http://([^.]+)/(.*) and the replacement https://${1}.my.domain.name/$2 as yours would alway redirect to / discarding any additional path component.