How to trace a weird redirect?

Traefik Traefik v2 (latest)
1

hi all
please see config and wget logs below.
both the whoami and wordpress containers are are defined exactly the same. the whoami container resolves on its subdomain, the wordpress container doesn't (timeout).
using wget on the wordpress site shows the basic auth middleware as successful, then for some reason it hits a 301 Moved Permanently and redirects to https://abc.my-domain.co.uk:9105.
how can i track down where this redirect occurs?
weirdly, i have previously exposed the wordpress container on host port 9105, but not anymore.
any tips would be helpful!

docker compose

version: "3.7"

services:

  traefik:
    hostname: "traefik"
    image: "traefik:latest"
    container_name: "traefik"
    restart: always
    domainname: ${DOMAINNAME}
    command:
      - "--log.level=DEBUG"
      - "--log.filepath=/logs/traefik.log"
      - "--accesslog.filepath=/logs/access.log"
      - "--accesslog.filters.retryAttempts=true"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.file.directory=/opt/traefik/rules"
      - "--providers.file.watch=true"

      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--entrypoints.traefik.address=:9103"

      - "--certificatesResolvers.mydnschallenge.acme.email=${MY_EMAIL}"
      - "--certificatesResolvers.mydnschallenge.acme.storage=/letsencrypt/acme.json"
      - "--certificatesResolvers.mydnschallenge.acme.dnsChallenge=true"
      - "--certificatesResolvers.mydnschallenge.acme.dnsChallenge.provider=cloudflare"

    labels:
      - "traefik.enable=true"

      # global redirect to https
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"

    environment:
      - CF_API_EMAIL=${CLOUDFLARE_EMAIL}
      - CF_API_KEY=${CLOUDFLARE_API_KEY}
    ports:
      - "80:80"
      - "443:443"
      - "9103:9103"
    volumes:
      - ${USERDIR}/docker/traefik/acme:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${USERDIR}/docker/traefik/file-based-rules:/opt/traefik/rules:ro
      - ${USERDIR}/docker/traefik/logs:/logs

  whoami:
    image: "containous/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami-secure.rule=Host(`ben.${DOMAINNAME}`)"
      - "traefik.http.routers.whoami-secure.entrypoints=websecure"
      - "traefik.http.routers.whoami-secure.tls.certresolver=mydnschallenge"

      - "traefik.http.routers.whoami-secure.middlewares=whoami-auth"
      - "traefik.http.middlewares.whoami-auth.basicauth.users=user:pwd"


  wordpress:
    container_name: wordpress
    depends_on:
      - wordpress_db
    image: wordpress:latest
    volumes:
      - ${USERDIR}/docker/wordpress/html:/var/www/html
      - ${USERDIR}/docker/wordpress/php:/usr/local/etc/php
    restart: always
    environment:
      WORDPRESS_DB_HOST: wordpress_db:3306
      WORDPRESS_DB_NAME: wordpress
      WORDPRESS_DB_USER: wordpress
      WORDPRESS_DB_PASSWORD: ${MYSQL_WP_PASSWORD}
      WORDPRESS_DEBUG: 1
    labels:
      - "traefik.enable=true"
      - "traefik.http.services.wordpress-service.loadbalancer.server.port=80"
      - "traefik.http.services.wordpress-service.loadbalancer.server.scheme=http"

      - "traefik.http.routers.wordpress-secure.rule=Host(`abc.${DOMAINNAME}`)"
      - "traefik.http.routers.wordpress-secure.entrypoints=websecure"
      - "traefik.http.routers.wordpress-secure.tls.certresolver=mydnschallenge"
      - "traefik.http.routers.wordpress-secure.service=wordpress-service"

      - "traefik.http.routers.wordpress-secure.middlewares=wordpress-auth"
      - "traefik.http.middlewares.wordpress-auth.basicauth.users=user:pwd"

wget whoami

➜  ~ wget --user=user --password=pwd http://ben.my-domain.co.uk
--2019-11-17 16:22:29--  http://ben.my-domain.co.uk/
Resolving ben.my-domain.co.uk (ben.my-domain.co.uk)... <some-ip-address>, <some-ip-address>, <some-ip-address>, ...
Connecting to ben.my-domain.co.uk (ben.my-domain.co.uk)|<some-ip-address>|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://ben.my-domain.co.uk/ [following]
--2019-11-17 16:22:29--  https://ben.my-domain.co.uk/
Connecting to ben.my-domain.co.uk (ben.my-domain.co.uk)|<some-ip-address>|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="traefik"
Reusing existing connection to [ben.my-domain.co.uk]:443.
HTTP request sent, awaiting response... 200 OK
Length: 643 [text/plain]
Saving to: ‘index.html’

index.html                    100%[===============================================>]     643  --.-KB/s    in 0s      

2019-11-17 16:22:29 (36.1 MB/s) - ‘index.html’ saved [643/643]

wget wordpress

➜  ~ wget --user=user --password=pwd http://abc.my-domain.co.uk/sample-page
--2019-11-17 16:23:17--  http://abc.my-domain.co.uk/sample-page
Resolving abc.my-domain.co.uk (abc.my-domain.co.uk)... <some-ip-address>, <some-ip-address>, <some-ip-address>, ...
Connecting to abc.my-domain.co.uk (abc.my-domain.co.uk)|<some-ip-address>|:80... connected.
HTTP request sent, awaiting response... 302 Found
Location: https://abc.my-domain.co.uk/sample-page [following]
--2019-11-17 16:23:17--  https://abc.my-domain.co.uk/sample-page
Connecting to abc.my-domain.co.uk (abc.my-domain.co.uk)|<some-ip-address>|:443... connected.
HTTP request sent, awaiting response... 401 Unauthorized
Authentication selected: Basic realm="traefik"
Reusing existing connection to [abc.my-domain.co.uk]:443.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://abc.my-domain.co.uk:9105/sample-page/ [following]
--2019-11-17 16:23:17--  https://abc.my-domain.co.uk:9105/sample-page/
Connecting to abc.my-domain.co.uk (abc.my-domain.co.uk)|<some-ip-address>|:9105... failed: Operation timed out.
Connecting to abc.my-domain.co.uk (abc.my-domain.co.uk)|<some-ip-address>|:9105... ^C
2

May be you were not successfull applying your new configuration (that does not contain port 9105), Or you applied it to a wrong place.

Enable debug log, and dashboard. In the log examine dumped configuration (both static and dynamic, but mostly dynamic) and compare it with expected. Enable dashboard. Examine routers and services created.

For what it's worth - there is redirect configured in your config, but the behaviour is inconsisten with the config, the http router that handles the request does both, the auth and the redirect, and your config shows the redirect only.

This makes me thing that you are looking at a wrong place.

It is also possible that you left behind another container with traefik labels that you mean to remove, and these are the labels that causing the behaviour you are seeing.

3

thanks @zespri - router and service both showed green in logs and dash the whole time.

wordpress must store some state somewhere (internal and cookies) on what port it has been first accessed from. solution was to:

  • drop and re-create both wordpress html folder and db
  • drop the cookie from the browser

:man_facepalming:

4

Never heard of wget using cookie from the browser. :wink:

2 Likes