Http -> Https redirect sends to 403 page

Grasume · August 31, 2023, 9:54pm

Attempting to set up a single HTTP - > HTTPS router returns 403 Forbidden page.
Page i have found out comes from Traefik and not the end user application
Tested with 2 different container images Custom / WHOAMI Traefik contianer
Also tested with v2 and v3 same issue. Not sure if its Traefik issue or config issue.

What did you see instead?

I expect to be sent to https of the whoami not a 403 Forbidden Traefik container.

What version of Traefik are you using?

Version: 3.0.0-beta3
Codename: beaufort
Go version: go1.20.5
Built: 2023-06-22T08:58:13Z
OS/Arch: linux/amd64

What is your environment & configuration?

Code is below not sure what im doing wrong
Traefik container

    image: traefik:v3.0
    container_name: traefik
    restart: always
    command:
      - --log.level=DEBUG
      - --accesslog=true
      - --tracing=true
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entryPoints.websecure.address=:443
      - --certificatesresolvers.seat.acme.tlschallenge=true
      - --certificatesresolvers.seat.acme.email=blah@blah.com
      - --certificatesresolvers.seat.acme.storage=./letsencrypt/seat-acme.json

    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./letsencrypt:/letsencrypt/
      - ./logs/access.log:/logs/access.log
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.home.arpa`)
      - traefik.http.services.traefik.loadBalancer.server.port=8080
      - traefik.http.routers.traefik.entrypoints=web
    networks:  
      - docker_services

Whoami Container

version: '3.7'

services:
  whoami-test:
    image: traefik/whoami:v1.9
    container_name: "whoami-test"
    restart: always
    labels:
      - traefik.enable=true

      - traefik.http.routers.whoami-http.rule=Host(`whoami.${DOMAIN}`)
      
      - traefik.http.routers.whoami-http.entrypoints=web
      - traefik.http.routers.whoami-http.middlewares=whoami-https-redirect
      - traefik.http.routers.whoami-https.rule=Host(`whoami.${DOMAIN}`)
      - traefik.http.routers.whoami-https.entrypoints=websecure
      - traefik.http.routers.whoami-https.tls.certResolver=seat
      - traefik.http.routers.whoami-https.tls=true
      - traefik.http.middlewares.whoami-https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.whoami-https-redirect.redirectscheme.permanent=true
  
    networks:
      - docker_services

networks:
  docker_services:
    external: true

If applicable, please paste the log output in DEBUG level

No good information found in Logs

ldez · August 31, 2023, 10:46pm

Hello,

First, Traefik doesn't produce 403, so the 403 doesn't come from Traefik.

I tried your example (with Traefik v2 and v3) and it works as expected.

I created a modified version of your example, without ACME (which doesn't impact the Traefik routing), access log (which doesn't impact the Traefik routing), and tracing (which doesn't impact the Traefik routing).

Modified example

version: "3"
services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    restart: always
    command:
      - --log.level=DEBUG
      # - --accesslog=true
      # - --tracing=true
      - --api.insecure=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entryPoints.websecure.address=:443
      # - --certificatesresolvers.seat.acme.tlschallenge=true
      # - --certificatesresolvers.seat.acme.email=blah@blah.com
      # - --certificatesresolvers.seat.acme.storage=./letsencrypt/seat-acme.json

    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      # - ./letsencrypt:/letsencrypt/
      # - ./logs/access.log:/logs/access.log
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik.rule=Host(`traefik.localhost`)
      - traefik.http.routers.traefik.entrypoints=web
      - traefik.http.services.traefik.loadBalancer.server.port=8080
    # networks:  
    #   - docker_services

  whoami-test:
    image: traefik/whoami:v1.9
    container_name: "whoami-test"
    restart: always
    labels:
      - traefik.enable=true

      - traefik.http.routers.whoami-http.rule=Host(`whoami.localhost`)
      - traefik.http.routers.whoami-http.entrypoints=web
      - traefik.http.routers.whoami-http.middlewares=whoami-https-redirect
      
      - traefik.http.routers.whoami-https.rule=Host(`whoami.localhost`)
      - traefik.http.routers.whoami-https.entrypoints=websecure
      # - traefik.http.routers.whoami-https.tls.certResolver=seat
      - traefik.http.routers.whoami-https.tls=true

      - traefik.http.middlewares.whoami-https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.whoami-https-redirect.redirectscheme.permanent=true
    # networks:
    # - docker_services

# networks:
#   docker_services:
#     external: true

Traefik logs

$ docker-compose up --remove-orphans  
whoami-test  | 2023/08/31 22:40:44 Starting up on port 80
traefik      | time="2023-09-01T00:40:44+02:00" level=info msg="Configuration loaded from flags."
traefik      | time="2023-09-01T00:40:44+02:00" level=info msg="Traefik version 2.10.1 built on 2023-04-27T14:52:35Z"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Static configuration loaded {\"global\":{\"checkNewVersion\":true},\"serversTransport\":{\"maxIdleConnsPerHost\":200},\"entryPoints\":{\"traefik\":{\"address\":\":8080\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"web\":{\"address\":\":80\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}},\"websecure\":{\"address\":\":443\",\"transport\":{\"lifeCycle\":{\"graceTimeOut\":\"10s\"},\"respondingTimeouts\":{\"idleTimeout\":\"3m0s\"}},\"forwardedHeaders\":{},\"http\":{},\"http2\":{\"maxConcurrentStreams\":250},\"udp\":{\"timeout\":\"3s\"}}},\"providers\":{\"providersThrottleDuration\":\"2s\",\"docker\":{\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}},\"api\":{\"insecure\":true,\"dashboard\":true},\"log\":{\"level\":\"DEBUG\",\"format\":\"common\"}}"
traefik      | time="2023-09-01T00:40:44+02:00" level=info msg="\nStats collection is disabled.\nHelp us improve Traefik by turning this feature on :)\nMore details on: https://doc.traefik.io/traefik/contributing/data-collection/\n"
traefik      | time="2023-09-01T00:40:44+02:00" level=info msg="Starting provider aggregator aggregator.ProviderAggregator"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Starting TCP Server" entryPointName=web
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Starting TCP Server" entryPointName=traefik
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Starting TCP Server" entryPointName=websecure
traefik      | time="2023-09-01T00:40:44+02:00" level=info msg="Starting provider *traefik.Provider"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="*traefik.Provider provider configuration: {}"
traefik      | time="2023-09-01T00:40:44+02:00" level=info msg="Starting provider *docker.Provider"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="*docker.Provider provider configuration: {\"watch\":true,\"endpoint\":\"unix:///var/run/docker.sock\",\"defaultRule\":\"Host(`{{ normalize .Name }}`)\",\"swarmModeRefreshSeconds\":\"15s\"}"
traefik      | time="2023-09-01T00:40:44+02:00" level=info msg="Starting provider *acme.ChallengeTLSALPN"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="*acme.ChallengeTLSALPN provider configuration: {}"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"traefik\"],\"service\":\"api@internal\",\"rule\":\"PathPrefix(`/api`)\",\"priority\":2147483646},\"dashboard\":{\"entryPoints\":[\"traefik\"],\"middlewares\":[\"dashboard_redirect@internal\",\"dashboard_stripprefix@internal\"],\"service\":\"dashboard@internal\",\"rule\":\"PathPrefix(`/`)\",\"priority\":2147483645}},\"services\":{\"api\":{},\"dashboard\":{},\"noop\":{}},\"middlewares\":{\"dashboard_redirect\":{\"redirectRegex\":{\"regex\":\"^(http:\\\\/\\\\/(\\\\[[\\\\w:.]+\\\\]|[\\\\w\\\\._-]+)(:\\\\d+)?)\\\\/$\",\"replacement\":\"${1}/dashboard/\",\"permanent\":true}},\"dashboard_stripprefix\":{\"stripPrefix\":{\"prefixes\":[\"/dashboard/\",\"/dashboard\"]}}},\"serversTransports\":{\"default\":{\"maxIdleConnsPerHost\":200}}},\"tcp\":{},\"udp\":{},\"tls\":{}}" providerName=internal
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Provider connection established with docker 24.0.5 (API 1.43)" providerName=docker
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Configuration received: {\"http\":{\"routers\":{\"traefik\":{\"entryPoints\":[\"web\"],\"service\":\"traefik\",\"rule\":\"Host(`traefik.localhost`)\"},\"whoami-http\":{\"entryPoints\":[\"web\"],\"middlewares\":[\"whoami-https-redirect\"],\"service\":\"whoami-test-19695\",\"rule\":\"Host(`whoami.localhost`)\"},\"whoami-https\":{\"entryPoints\":[\"websecure\"],\"service\":\"whoami-test-19695\",\"rule\":\"Host(`whoami.localhost`)\",\"tls\":{}}},\"services\":{\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.19.0.3:8080\"}],\"passHostHeader\":true}},\"whoami-test-19695\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://172.19.0.2:80\"}],\"passHostHeader\":true}}},\"middlewares\":{\"whoami-https-redirect\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}}}},\"tcp\":{},\"udp\":{}}" providerName=docker
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Added outgoing tracing middleware dashboard@internal" entryPointName=traefik routerName=dashboard@internal middlewareName=tracing middlewareType=TracingForwarder
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Adding tracing to middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex entryPointName=traefik routerName=dashboard@internal
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_redirect@internal entryPointName=traefik
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=traefik
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="No default certificate, fallback to the internal generated certificate" tlsStoreName=default
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" routerName=traefik@docker serviceName=traefik middlewareName=pipelining middlewareType=Pipelining entryPointName=web
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating load-balancer" serviceName=traefik entryPointName=web routerName=traefik@docker
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating server 0 http://172.19.0.3:8080" serverName=0 entryPointName=web routerName=traefik@docker serviceName=traefik
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="child http://172.19.0.3:8080 now UP"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Propagating new UP status"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Added outgoing tracing middleware traefik" entryPointName=web routerName=traefik@docker middlewareName=tracing middlewareType=TracingForwarder
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" entryPointName=web middlewareName=pipelining middlewareType=Pipelining routerName=whoami-http@docker serviceName=whoami-test-19695
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating load-balancer" entryPointName=web routerName=whoami-http@docker serviceName=whoami-test-19695
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating server 0 http://172.19.0.2:80" serverName=0 entryPointName=web routerName=whoami-http@docker serviceName=whoami-test-19695
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="child http://172.19.0.2:80 now UP"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Propagating new UP status"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Added outgoing tracing middleware whoami-test-19695" entryPointName=web routerName=whoami-http@docker middlewareName=tracing middlewareType=TracingForwarder
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" middlewareType=RedirectScheme entryPointName=web routerName=whoami-http@docker middlewareName=whoami-https-redirect@docker
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Setting up redirection to https " routerName=whoami-http@docker middlewareName=whoami-https-redirect@docker middlewareType=RedirectScheme entryPointName=web
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" entryPointName=web middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Added outgoing tracing middleware api@internal" entryPointName=traefik routerName=api@internal middlewareName=tracing middlewareType=TracingForwarder
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Added outgoing tracing middleware dashboard@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=traefik routerName=dashboard@internal
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" middlewareName=dashboard_stripprefix@internal middlewareType=StripPrefix entryPointName=traefik routerName=dashboard@internal
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Adding tracing to middleware" routerName=dashboard@internal middlewareName=dashboard_stripprefix@internal entryPointName=traefik
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Setting up redirection from ^(http:\\/\\/(\\[[\\w:.]+\\]|[\\w\\._-]+)(:\\d+)?)\\/$ to ${1}/dashboard/" entryPointName=traefik routerName=dashboard@internal middlewareName=dashboard_redirect@internal middlewareType=RedirectRegex
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Adding tracing to middleware" middlewareName=dashboard_redirect@internal entryPointName=traefik routerName=dashboard@internal
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" entryPointName=traefik middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" entryPointName=websecure routerName=whoami-https@docker serviceName=whoami-test-19695 middlewareName=pipelining middlewareType=Pipelining
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=whoami-https@docker serviceName=whoami-test-19695
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating server 0 http://172.19.0.2:80" serverName=0 entryPointName=websecure routerName=whoami-https@docker serviceName=whoami-test-19695
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="child http://172.19.0.2:80 now UP"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Propagating new UP status"
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Added outgoing tracing middleware whoami-test-19695" middlewareName=tracing middlewareType=TracingForwarder entryPointName=websecure routerName=whoami-https@docker
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Creating middleware" entryPointName=websecure middlewareName=traefik-internal-recovery middlewareType=Recovery
traefik      | time="2023-09-01T00:40:44+02:00" level=debug msg="Adding route for whoami.localhost with TLS options default" entryPointName=websecure
traefik      | time="2023-09-01T00:40:49+02:00" level=debug msg="Serving default certificate for request: \"whoami.localhost\""

$ curl -L -k http://whoami.localhost                                                                                                                                             
Hostname: 90a12ea483dd
IP: 127.0.0.1
IP: 172.18.0.3
RemoteAddr: 172.18.0.2:59076
GET / HTTP/1.1
Host: whoami.localhost
User-Agent: curl/8.2.1
Accept: */*
Accept-Encoding: gzip
Uber-Trace-Id: 25a689f0bea6761f:03ede107c63ff5ce:25a689f0bea6761f:1
X-Forwarded-For: 172.18.0.1
X-Forwarded-Host: whoami.localhost
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: bc379781a902
X-Real-Ip: 172.18.0.1

So your problem is not a traefik problem but a problem with your environment (maybe ${DOMAIN} points to something else than Traefik, or you have a firewall, or your network configuration, or the way you run your stack, etc.)