Based on the above discussion I think we determined we that we must use redirectregex, not replaceregex. I want to draw your attention on the part where it tries to reply. Can you please see #3 & #4 in my previous reply? How is Traefik removing SSL from the reply?
I read your examples a lot and my tested implemented is based on them. It doesn't work - perhaps only with Curl, which is not my goal. My goal is to copy the implementation in the link I posted.
This post & comment explains what I mean better by "silently" https://bjornjohansen.no/nginx-redirect -
" As you mention, using a HTTP 307 response code (or even 308 Permanent Redirect ) is a technically correct solution. But you have to remember to return a Location header as well, so the client knows where to direct the POST request. I am not sure how many of your clients will understand a 307 (or the newer 308) response code.
The failsafe approach would be to use a proxy_pass , which should work just fine. Use proxy_set_header Host $host; if you want to pass on the Host header from the client, or set your own with proxy_set_header Host example.com; . It might be a good idea to log all proxied requests and ask those clients to update their configurations to use the new URL."
(And you can see two follow up replies by someone seemingly trying to do the same thing as me)
Like I said, I can see that I can get 307s and 308s in the traefik logs, but the communication between services & remote does not work - and I think it is because it is sending HTTPS messages back, while it expects HTTP messages. I don't see how creating a 'web' (in addition to 'websecure') router will automatically make this happen for services
Proxypass and redirect are two different things.
In case of NGINX proxy_pass, a client makes a request, the request is received by NGINX, which forwards the request to the defined backend. The defined backend goes back to NGINX, which sends the reply back to the client.
In case of a redirect, the client sends a request, the server receives the request and sends back a new url for the client to follow.
From what I've gathered, you are in need of proxying a http to https (not redirecting). I'm not very familiar with advanced functionality of Traefik, but maybe https://docs.traefik.io/middlewares/headers/#using-security-headers can help you forward?
@lanmarti Hmmm... Ya it seems like that is a lead. However, I can't seem to get it through my head how this fits into @ldez's previous example. How could one remove SSL using the headers middleware - but only on return requests from the regex.replacement URL?
Have you tried using a Traefik Service? In this thread they talk about a similar issue to yours, except they want double HTTPS -> Traefik -> HTTPS instead of your HTTP -> Traefik -> HTTPS scenario Can traefik terminate an SSL connection and create a new SSL connection to the backend service . Perhaps this can help you forward?
I'm very new to v2 myself, and my use cases are very straightforward, so my knowledge is rather limited.
I've read this thread carefully, and it is utterly unclear what you are trying to achieve.
What is this "remote" you are referring to? Also "answering with SSL, which expecting none" does not quite make sense, because TLS protocol start with a handshake, and if it does you are using TLS, and if it does not you are not. There is no way that after the TLS handshake the client would not expect TLS response back. And if there was no handshake then server would not send TLS response back, so - unclear.
@lanmarti@ldez
I DM'd this to @zespri espri, and he suggested that I follow up here:
I never did figure this out and it seems very easy to talk about this issue on nginx forums (for linux) or htaccess threads (for windows), like this one:
But in Traefik it seems quite complex. As you can see from what they're doing in that Stackoverflow thread, PayPal has old URLs it doesn't allow you to change. So if there's a subscription that lasts years, then you cannot change the URL without cancelling everyone's subscription! Anyway, the URL that is stuck for everyone is similar - and it also is on HTTP (not HTTPS). Therefore, not only do we need to have it seamlessly talk to a service running on a different URL, but it needs to translate HTTP -> HTTPS on the way in, and HTTPS -> HTTP on the way out (only for said URL).
I hope that makes everything clearer in the above thread! I will work under the hypothesis that it was me being unclear for now I really did try, however!
For problem 2, it seems to me you need a router definition that accepts a http connection (probably on port 80 or 8080), which directs trafic to a sevice with a https scheme (probably port 443).
I haven't used traefik with docker, but assuming you are using the docker provider, the labels for your app container should be something akin to:
in your static traefik configuration, you should add either the correct certs for the TLS connection, or set insecureSkipVerify.
To get everything working, skipping verification is easiest. You can look at adding the certificate after you have a working version.
serversTransport:
insecureSkipVerify: true
Don't forget that your static configuration should also contain the http entrypoint definition.
I'd like to stress that this is just what I think should work. As mentioned before, my actual experience with traefik v2 is very limited and my experience with traefik + docker is non-existent.
# router for http request
- "traefik.http.routers.apache-http.entrypoints=web"
- "traefik.http.routers.apache-http.rule=Host(`example.com`)"
# router for https request
- "traefik.http.routers.apache-https.entrypoints=websecure"
- "traefik.http.routers.apache-https.tls=true"
- "traefik.http.routers.apache-https.tls.certresolver=myresolver"
- "traefik.http.routers.apache-https.rule=Host(`example.com`)"
# service for http request
- "traefik.http.services.apache-http.loadbalancer.server.port=80"
# service for https request
- "traefik.http.services.apache-https.loadbalancer.server.port=443"
- "traefik.http.services.apache-https.loadbalancer.server.scheme=https"
# assign http service to http router
- "traefik.http.routers.apache-http.service=apache-http"
# assign https service to https router
- "traefik.http.routers.apache-https.service=apache-https"
I had a problem that one php framework generated url links with http. At first I had a redirect of everything to https, but it wasn't perfect, the links on the site were still with http and every request had a redirect. There was also a problem with htaccess configuration. I could modify the php code, but I was looking for the cause. I found out that this is because the Traefik communicates with docker cointainers without https. And so began my several-day challenge that led here.
I'm a programmer, I don't normally configure a proxy. The first steps are always difficult. I searched a lot of solutions on the internet, everyone wrote about PassTLSClientCert and mTLS, so I went the wrong way for a long time. Thank you again for the right solution. I now have a Lets encrypt certificate for communication from the outside and my own certificate for communication between Traefik and the Docker.
Now I will be able to run the Docker registry in Gitlab, a solution without TLS is not officially supported. Also Redis, RabbitMQ and others. Now I think I can handle it.
I really did try, however!