Global direct with fqdn redirectregex

i am trying to setup global redirection of http to https and also expansion to fqdn if required, i went through a few posts thought it would work.. but stuck. the goal would be:

http://whoami/ > https://whoami.domain.internal/
https://whoami/ > https://whoami.domain.internal/ <---- DOES NOT WORK - also triggers cert error, as it gets stuck on https://whoami/ and tries to match domain.. but it doesnt have one
http://whoami.domain.internal > https://whoami.domain.internal/
https://whoami.domain.internal/ > https://whoami.domain.internal/

The other 3 variables seems to work

version: "3.5"
services:

  traefik:
    image: traefik:v2.4
    command:
      - --log.level=INFO
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
      - --api=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --global.sendAnonymousUsage=false
    ports:
      - 80:80
      - 443:443
    labels:
      - traefik.enable=true

      # Dashboard
      - traefik.http.routers.traefik.rule=Host(`traefik.domain.internal`)
      - traefik.http.routers.traefik.service=api@internal
      - traefik.http.routers.traefik.entrypoints=websecure
      - traefik.http.routers.traefik.tls=true

      - traefik.http.middlewares.expandfqdn.redirectregex.regex=^https?://([^.]+)/(.*)
      - traefik.http.middlewares.expandfqdn.redirectregex.replacement=https://$${1}.domain.internal/$${2}

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro

  whoami:
    image: traefik/whoami
    container_name: simple-service-xx
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.whoami_https.redirectscheme.scheme=https
      #http
      - traefik.http.routers.whoami.entrypoints=web
      - traefik.http.routers.whoami.rule=Host(`whoami.domain.internal`)||Host(`whoami`)
      - traefik.http.routers.whoami.middlewares=expandfqdn,whoami_https@docker
      #https
      - traefik.http.routers.whoami_https.entrypoints=websecure
      - traefik.http.routers.whoami_https.rule=Host(`whoami.domain.internal`)
      - traefik.http.routers.whoami_https.tls=true
      - traefik.http.routers.whoami_https.middlewares=expandfqdn,whoami_https@docker

ideal in the end, the direction is global instead of per container label.

please help - this is driving me crazy

Hello @jyip,

If your issue is redirecting:

https://whoami/ --> https://whoami.domain.internal/,

then you need to have a valid certificate for https://whoami/ first. This is because the TLS session is established before any HTTP requests are sent through.

i'm using a wildcard cert *.domain.internal
is there a solution / alternative? or it would be impossible for this situation ?

Hello @jyip,

If you are generating the certificate yourself, why not add whoami as a SAN?

i expect a lot of services to be utilizing the traefik proxy and wanted to reduce the creation of certificates so went with the wildcard. i'm a little new to this, is it better practice to make a certificate for each subdomain ?

thank you

Hello @jyip,

It is up to you. Having a certificate per subdomain may involve more work and more money if purchasing from CAs, but having independent certificates will give you the most flexibility possible.