How to disable http to https redirect?

io_err · April 19, 2023, 5:11pm

Hi,

I am trying to configure traefik for HTTP only traffic. I deployed traefik inside swarm cluster with following config:

version: '3.9'

services:
  traefik:
    image: traefik:v2.9
    ports:
      - 80:80
      - 8080:8080
    deploy:
      placement:
        constraints:
          - node.role==manager
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
    command:
      - --providers.docker
      - --providers.docker.constraints=Label(`traefik.constraint-label`, `traefik`)
      - --providers.docker.exposedbydefault=false
      - --providers.docker.swarmMode=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --entrypoints.http.address=:80
      - --entrypoints.http.http.tls=false
      - --accesslog
      - --log
      - --api.insecure=true
      - --log.level=DEBUG
    networks:
      - traefik

networks:
  traefik:
    external: true

Then, I added labels to my app:

      labels:
        - traefik.http.routers.app.rule=Host(`my_app.domain.com`)
        - traefik.http.routers.app.tls=false
        - traefik.http.services.app.loadbalancer.server.port=80
        - traefik.enable=true
        - traefik.constraint-label=traefik

But when I tried to access app via http://my_app.domain.com I got redirected to https://my_app.domain.com
In logs I found this:
"Adding route for my_app.domain.com with TLS options default" entryPointName=http
and

level=debug msg="Configuration received: {\"http\":{\"routers\":{\"app\":{\"service\":\"app\",\"rule\":\"Host(`my_app.domain.com`)\"}},\"services\":{\"app\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://10.0.7.131:80\"}],\"passHostHeader\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
level=debug msg="Added outgoing tracing middleware api@internal" routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik
level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal
level=debug msg="Creating middleware" middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
level=debug msg="No entryPoint defined for this router, using the default one(s) instead: [http]" routerName=app
level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
level=debug msg="Creating middleware" routerName=app@docker entryPointName=http serviceName=app middlewareType=Pipelining middlewareName=pipelining
level=debug msg="Creating load-balancer" routerName=app@docker entryPointName=http serviceName=app
level=debug msg="Creating server 0 http://10.0.7.131:80" routerName=app@docker entryPointName=http serviceName=app serverName=0
level=debug msg="child http://10.0.7.131:80 now UP"
level=debug msg="Propagating new UP status"
level=debug msg="Added outgoing tracing middleware app" entryPointName=http routerName=app@docker middlewareName=tracing middlewareType=TracingForwarder
level=debug msg="Creating middleware" middlewareType=Recovery entryPointName=http middlewareName=traefik-internal-recovery
level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik
level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik
level=debug msg="Creating middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik
level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery

How to change that's behaviour?
Thanks.

bluepuma77 · April 19, 2023, 5:55pm

Try to remove these lines. TLS should be disabled by default, maybe Traefik is not checking for false and activates when just present.

Browsers have a tendency to redirect to https when they have used https for a website before. Not sure if it helps to clear the browser cache.

So it might not even be Traefik itself. But also it might be that the app is sending a redirect to https, check with your browsers developer tools network tab.

io_err · April 19, 2023, 10:24pm

Update:

I am trying to setup Traefik behind LB that terminate TLS, but no luck on it. Maybe I can find examples somewhere?

bluepuma77 · April 20, 2023, 5:50am

If you run behind a load balancer terminating TLS, what is wrong about this behavior?

The load balancer should still forward all requests to port 80 with http if configured correctly.

io_err · April 20, 2023, 10:14am

Correct,

Load Balancer terminated TLS, then HTTP routed by Traefik to container, but I saw 499 error in traefik logs, in container my request got 200 OK.

I performed some tests:
Opened 80 HTTP on LB and point it to 80 HTTP of Traefik, created a service with plain nginx service, and now I have:
In browser got 307 redirect (tried in incognito tab without any cache, etc):

Request Method:GET
Status Code: 307 Internal Redirect
Referrer Policy: strict-origin-when-cross-origin
HTTP/1.1 307 Internal Redirect
Location: http://nginx.domain.com
Cross-Origin-Resource-Policy: Cross-Origin
Non-Authoritative-Reason: HSTS

Looks like Traefik rewrite headers or adding "upgrade-insecure-requests" in middlewares (Upgrade-Insecure-Requests: 1 in request headers). I found some topics with similar issues, and tried "--entrypoints.http.forwardedheaders.insecure", but I still have same issues.

bluepuma77 · April 20, 2023, 4:56pm

Traefik does not redirect to https unless your explicitly tell it to via entrypoint or router middleware.

Try a plain traefik/whoami service, that for sure will not redirect. Don't know about nginx defaults.

Topic		Replies	Views
Config from labels on swarm Traefik v2 docker , docker-swarm	2	867	October 9, 2019
Disable https redirection for a single container Traefik v1 docker	3	4384	July 24, 2019
Need help on http-https redirection Traefik v2 docker-swarm	2	494	May 23, 2020
Traefik 2 + Docker Swarm: Ignoring my Labels Traefik v2 docker , docker-swarm	1	1231	May 16, 2020
I can't set up redirect http to https Traefik v2 docker , middleware	2	134	July 1, 2024

How to disable http to https redirect?

Related Topics