HTTP and HTTPS not possible (also SchemaRedirect not possible)

My expected behaviour is quite simple but seems to be impossible to configure.

Expected: a service is available on HTTP and HTTPS
Actual: It's either depending on the IngressRoute

All the provided configurations are valid according to the log files as well as the Traefik dashboard. The configuration is also correctly reflected on the different dashboard pages. In the curl results the in my opinion wrong results are in bold.

Full configuration:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: https
spec:
  redirectScheme:
    scheme: https

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - match: Host(`whoami.domain.io`)
    kind: Rule
    services:
      - name: whoami
        port: 80
  tls:
    certResolver: default

---
apiVersion: v1
kind: Service
metadata:
  name: whoami

spec:
  ports:
    - protocol: TCP
      name: web
      port: 80
  selector:
    app: whoami

---
kind: Deployment
apiVersion: apps/v1
metadata:
  name: whoami
  labels:
    app: whoami

spec:
  replicas: 2
  selector:
    matchLabels:
      app: whoami
  template:
    metadata:
      labels:
        app: whoami
    spec:
      containers:
        - name: whoami
          image: containous/whoami
          ports:
            - name: web
              containerPort: 80

$ curl http://whoami.domain.io => 404
$ curl https://whoami.domain.io => 200
$ curl http://172.16.x.x:8000 -H Host:whoami.domain.io => 404
$ curl https://172.16.x.x:4443 -H Host:whoami.domain.io -k => 200

Now the different variations of IngressRoute with it's results

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`whoami.domain.io`)
    kind: Rule
    services:
      - name: whoami
        port: 80

$ curl http://whoami.domain.io => 200
$ curl https://whoami.domain.io => 404
$ curl http://172.16.x.x:8000 -H Host:whoami.domain.io => 200
$ curl https://172.16.x.x:4443 -H Host:whoami.domain.io -k => 404

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`whoami.domain.io`)
    kind: Rule
    services:
      - name: whoami
        port: 80

$ curl http://whoami.domain.io => 404
$ curl https://whoami.domain.io => 404
$ curl http://172.16.x.x:8000 -H Host:whoami.domain.io => 404
$ curl https://172.16.x.x:4443 -H Host:whoami.domain.io -k => 404

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - web
  routes:
  - match: Host(`whoami.domain.io`)
    kind: Rule
    services:
      - name: whoami
        port: 80
  tls:
    certResolver: default     

$ curl http://whoami.domain.io => 404
$ curl https://whoami.domain.io => 404
$ curl http://172.16.x.x:8000 -H Host:whoami.domain.io => 404
$ curl https://172.16.x.x:4443 -H Host:whoami.domain.io -k => 404

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`whoami.domain.io`)
    kind: Rule
    services:
      - name: whoami
        port: 80
  tls:
    certResolver: default

$ curl http://whoami.domain.io => 404
$ curl https://whoami.domain.io => 200
$ curl http://172.16.x.x:8000 -H Host:whoami.domain.io => 404
$ curl https://172.16.x.x:4443 -H Host:whoami.domain.io -k => 200

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - web
    - websecure
  routes:
  - match: Host(`whoami.domain.io`)
    kind: Rule
    services:
      - name: whoami
        port: 80 

$ curl http://whoami.domain.io => 404
$ curl https://whoami.domain.io => 404
$ curl http://172.16.x.x:8000 -H Host:whoami.domain.io => 404
$ curl https://172.16.x.x:4443 -H Host:whoami.domain.io -k => 404

And what I firstly really tried to achieve (Redirect of HTTP -> HTTPS):

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: whoami
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`whoami.domain.io`)
    kind: Rule
    services:
      - name: whoami
        port: 80
    middlewares:
      - name: https
  tls:
    certResolver: default

$ curl http://whoami.domain.io => 404
$ curl https://whoami.domain.io => 200
$ curl http://172.16.x.x:8000 -H Host:whoami.domain.io => 404
$ curl https://172.16.x.x:4443 -H Host:whoami.domain.io -k => 200

Is this the expected behaviour? I hope not.

Why not make 2 routers? one for HTTP and one for HTTPS?

Hello @dannyyy,

The reason that you are getting the results that you are is you are effectively defining an HTTP (TLS enabled) router on both your web and websecure entrypoints.

If you want to have a TLS enabled and non-TLS enabled configuration (such as http/https), you have to configure them as separate routes like shown in our documentation:

https://docs.traefik.io/v2.1/user-guides/crd-acme/#traefik-routers

This way you configure the redirect on the http route, without affecting the TLS-enabled route.

Thanks guys. Actually very obvious.
I think the possibility of having a list for the entryPoints property forced me to think I can combine them.

But thanks to your feedback everything is working now.

Cheers Danny