How to disable http redirect to https for a single container domain?

Traefik Traefik v2
, ,
1

Hi,

I'm trying to configure a Poste.io container using Let's Encrypt for SMTPS/IMAPS, but everytime I try to generate a certificate from Poste.io UI, I got an error. I check the generated ACME URL but Traefik keeps redirecting to HTTPS, which should cause the error.
Here is my Poste.io conf (sorry, I don't use Docker Compose):

docker run -d --name poste.io --restart=unless-stopped --hostname=mail.domain.tld -p 25:25 -p 8084:80 -p 110:110 -p 143:143 -p 465:465 -p 587:587 -p 993:993 -p 995:995 -p 11443:443 -v /etc/localtime:/etc/localtime:ro -v /docker/Poste.io:/data \
-l "traefik.enable=true" \
-l "traefik.http.routers.webmail.rule=Host(\`webmail.domain.tld\`)" \
-l "traefik.http.routers.webmail.service=webmail" \
-l "traefik.http.routers.webmail.entrypoints=https,http" \
-l "traefik.http.routers.webmail.tls=true" \
-l "traefik.http.routers.webmail.tls.options=default" \
-l "traefik.http.routers.webmail.tls.certresolver=xxx" \
-l "traefik.http.services.webmail.loadbalancer.server.port=80" \
-l "traefik.http.routers.webmail.middlewares=https-redirect@file,security-headers@file" \
-l "traefik.http.routers.webmail-insecure.rule=Host(\`webmail.domain.tld\`)" \
-l "traefik.http.routers.webmail-insecure.middlewares=https-redirect@file,security-headers@file" \
-l "traefik.http.routers.posteio.rule=Host(\`posteio.domain.tld\`)" \
-l "traefik.http.routers.posteio.service=posteio" \
-l "traefik.http.routers.posteio.entrypoints=https,http" \
-l "traefik.http.routers.posteio.tls=true" \
-l "traefik.http.routers.posteio.tls.options=default" \
-l "traefik.http.routers.posteio.tls.certresolver=xxx" \
-l "traefik.http.services.posteio.loadbalancer.server.port=80" \
-l "traefik.http.routers.posteio.middlewares=https-redirect@file,security-headers@file" \
-l "traefik.http.routers.posteio-insecure.rule=Host(\`posteio.domain.tld\`)" \
-l "traefik.http.routers.posteio-insecure.middlewares=https-redirect@file,security-headers@file" \
-l "traefik.http.middlewares.posteio.redirectregex.regex=posteio.domain.tld/webmail" \
-l "traefik.http.middlewares.posteio.redirectregex.replacement=posteio.domain.tld/admin/" \
-l "traefik.http.routers.leposte.service=leposte" \
-l "traefik.leposte.frontend.rule=HostRegexp(\`mail.domain.tld\`) && PathPrefix(\`/.well-known/\`)" \
-l "traefik.http.services.leposte.loadbalancer.server.port=80" \
-l "traefik.http.routers.leposte.entrypoints=http" \
-l "traefik.http.routers.leposte.tls=false" \
-e "HTTPS=OFF" -e "HOSTNAME=mail.domain.tld" -t analogic/poste.io

And traefil.toml:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"

[api]
  insecure = true

[providers.docker]
  endpoint = "unix:///var/run/docker.sock"
  watch = true
  exposedByDefault = false
  swarmMode = false

[providers.file]
  filename = "/etc/traefik/services.toml"

[certificatesResolvers.xxx.acme]
  email = "xxx@domain.tld"
  storage = "/etc/traefik/acme.json"
  [certificatesResolvers.xxx.acme.dnsChallenge]
    provider = "xxx"

[log]
  filePath = "/logs/traefik.log"

[accessLog]
  filePath = "/logs/access.log"

[metrics]
  [metrics.prometheus]

services.toml:

[http]
  [http.middlewares.auth.basicAuth]
    users = ["xxx:xxx"]
  [http.middlewares.https-redirect.redirectscheme]
    scheme = "https"
  [http.middlewares.security-headers.headers]
    AccessControlAllowMethods = ["GET", "OPTIONS", "PUT"]
    AccessControlAllowOrigin = "origin-list-or-null"
    AccessControlMaxAge = 100
    ForceSTSHeader = true
    BrowserXssFilter = true
    ContentTypeNosniff = true
    FrameDeny = true
    SSLRedirect = true
    STSIncludeSubdomains = true
    STSPreload = true
    STSSeconds = 31536000 
#    ContentSecurityPolicy = "default-src 'self' 'unsafe-inline'"
    CustomFrameOptionsValue = "SAMEORIGIN"
    ReferrerPolicy = "same-origin"
    FeaturePolicy = "vibrate 'self'"

  [http.routers]
    [http.routers.nvr]
      entrypoints = ["https"]
      rule = "Host(`nvr.domain.tld`)"
      service = "nvr"
      [http.routers.nvr.tls]
        certresolver = "xxx" 

  [http.services]
    [http.services.nvr.loadBalancer]
      [[http.services.nvr.loadBalancer.servers]]
        url = "http://XXX.XXX.XXX.XXX:XXX"

[tls.options]
  [tls.options.default]
    minVersion = "VersionTLS12"
    sniStrict = true
    cipherSuites = [
      "TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_AES_128_GCM_SHA256",
      "TLS_AES_256_GCM_SHA384",
      "TLS_CHACHA20_POLY1305_SHA256",
      "TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507.
    ]

Any help would be much appreciated :slight_smile:
Best,

2

It might be helpful to post the error. Or even better the entire log file (enable debug logging first, if long, use something like gist).

I check the generated ACME URL but Traefik keeps redirecting to HTTPS, which should cause the error

This does not make sense to me. What is "ACME URL"? How is traefik redirection relevant with DNS challenge?

3

The error comes from Poste.io, it's simply because the ACME http URL is redirected by Traefik to https.
ACME is used for Poste.io certificate generation for SMTPS and IMAPS like I explained in first post.

4

ACME is used for Poste.io certificate generation for SMTPS and IMAPS like I explained in first post.

It sounds like you are not using traefik for generating these certs then.

In my mail server setup I use traefik for all certificate generating needs, I then extract them from acme.json with a script and copy them to wherever they are used by SMTPS/IMAPS. You might consider doing the same. In my mind it's much cleaner approach then spreading certs management between different pieces of software.

As for redirection, I don't think there is an option to exclude a single container, but if you configure this for every container separately/individually, then you can configure this one not to redirect, and the rest to redirect, if that's what you like.

5

I never said that I used Traefik for LE certificate generation in this case.
Poste.io offers an embedded feature to generate the certificate, and it worked perfectly with Traefik v1, that's why I'm asking for help...
How can I disable redirection for this container? (You can notice that the title of the topic...)

6

Last paragraph of my previous message addresses this.

7

In fact, it's possible for a router, by playing with priority: if the router has a higher priority than the router with the redirection, the router will be excluded from the redirection.

example 1 
version: '3.7'

services:

  # curl -L -k http://traefik.localhost (redirect to https://traefik.localhost)
  # curl http://whoami.localhost (no redirection)
  # curl -L -k http://example.localhost (redirect to https://example.localhost)

  traefik:
    image: traefik:v2.2
    command:
      - --log.level=INFO
      - --api
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      traefik.enable: 'true'

      # Dashboard
      traefik.http.routers.traefik.rule: Host(`traefik.localhost`)
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.tls: 'true'
      traefik.http.routers.traefik.service: api@internal

      # global redirect to https
      traefik.http.routers.http-catchall.rule: hostregexp(`{host:.+}`)
      traefik.http.routers.http-catchall.entrypoints: web
      traefik.http.routers.http-catchall.middlewares: redirect-to-https
      traefik.http.routers.http-catchall.priority: 1000

      # middleware redirect
      traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https

  whoami:
    image: containous/whoami:v1.5.0
    labels:
      traefik.enable: 'true'

      traefik.http.routers.aaa.rule: Host(`whoami.localhost`)
      traefik.http.routers.aaa.entrypoints: web
      traefik.http.routers.aaa.priority: 2000

      traefik.http.routers.bbb.rule: Host(`example.localhost`)
      traefik.http.routers.bbb.entrypoints: websecure
example 2 
version: '3.7'

services:

  # curl -L -k http://traefik.localhost (redirect to https://traefik.localhost)
  # curl http://whoami.localhost (no redirection)
  # curl -L -k http://example.localhost (redirect to https://example.localhost)

  traefik:
    image: traefik:v2.2.10
    command:
      - --log.level=INFO
      - --api
      - --providers.docker.exposedbydefault=false
      
      - --entrypoints.web.address=:80
      # global redirect to https
      - --entrypoints.web.http.redirections.entryPoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.priority=1000

      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    labels:
      traefik.enable: 'true'

      # Dashboard
      traefik.http.routers.traefik.rule: Host(`traefik.localhost`)
      traefik.http.routers.traefik.entrypoints: web,websecure
      traefik.http.routers.traefik.service: api@internal

  whoami:
    image: containous/whoami:v1.5.0
    labels:
      traefik.enable: 'true'

      traefik.http.routers.aaa.rule: Host(`whoami.localhost`)
      traefik.http.routers.aaa.entrypoints: web
      traefik.http.routers.aaa.priority: 2000

      traefik.http.routers.bbb.rule: Host(`example.localhost`)
      traefik.http.routers.bbb.entrypoints: web,websecure
3 Likes
8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.