How to redirect an HTTPS request based on a header value?

Traefik Traefik v2
,
1

Hi y'all!
I have a docker service behind traefik; due to its nature we're being pretty stingy with TLS, and so the minVersion is set to VersionTLS12, which obviously breaks every version of IE.

Since this service is sometimes used by people who still have IE on their computers - how may I redirect them to an appropriate error page (or whatever)? Because, if I just leave this as-is - the browser's default error message is pretty misleading:

Untitled
Untitled996×638 100 KB

It makes it look like the service is down, while in reality it is not.

Now: this is my config file:

[global]
  checkNewVersion = false

[api]
  dashboard = true

[log]
  level = "DEBUG"

[accessLog]

[entryPoints]
  [entryPoints.http]
    address = ":80"
  [entryPoints.https]
    address = ":443"

[providers]
  [providers.docker]
    exposedByDefault = false
  [providers.file]
    directory = "/etc/dynamic-config/"

[certificatesResolvers]
  [certificatesResolvers.letsencrypt]
    [certificatesResolvers.letsencrypt.acme]
      email = "redacted@redact.ed"
      storage = "/etc/acme.json"
    [certificatesResolvers.letsencrypt.acme.httpChallenge]
      entryPoint = "http"

This is a file I load as a dynamic provider:

[tls.options]
  [tls.options.default]
    sniStrict = true
    minVersion = "VersionTLS12"
    cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
    ]

[http.routers]
  [http.routers.Router-1]
    rule = "HostRegexp(`ch1test.spectra.io`, `{subdomain:.+}.ch1test.spectra.io`) && HeadersRegexp(`User-Agent`, `.*MSIE.*`)"
    priority = 9000000
    entryPoints = ["https"]
    service = "my-service"

[http.services]
  [http.services.my-service.loadBalancer]
    [[http.services.my-service.loadBalancer.servers]]
      url = "http://my.public.bucket.s3-eu-west-1.amazonaws.com/"

NOTES:

  • These settings work if I only specify the "http" entrypoint. But it makes no sense for my usecase, as I only need to redirect the HTTPS requests from browsers which can not set up a connection.
  • With the "https" entrypoint it doesn't redirect, because it probably tries to initialize SSL before trying to redirect the request. Which is why I'm posting here :sweat_smile:
  • I know that S3 url won't work like that, I'll figure out a better service destination. It's a temp value.
2

Ok, so given that the average level of activity on this forum asymptotically approaches zero and I hate seeing unanswered forum threads - here comes my solution.

The above is a tricky instance of a stupid problem in disguise. To understand why, here's two diagrams:

standard connection flow:
client -> traefik -> application server -> traefik -> client

HTTP inside traefik:
------> request received from an entry point -> headers read -> router rules applied -> off to a service ------> return response to the client

HTTPS inside traefik:
------> request received from an entry point -> DECRYPTION -> headers read -> router rules applied -> off to a service -> receive response -> ENCRYPTION -------> return response to the client?

My setup obviously works with HTTP because there's no encryption involved - it just redirects the thing where I ask it to. But when I need to do that with the HTTPS - it'd need to decrypt it first, so it's pretty obvious that it can not redirect the request before reading its headers. And in order to decrypt the communication - it'd need to set up TLS first, which is broken client-side.

So, it is literally not possible to set up a redirect for "all the clients that are broken" - or even single them out as a category. Putting up an error message that is informative enough to the end users is entirely a responsibility of the browser at the hand.