HTTP to HTTPS redirect does not enforce the client to create a new connection

I have configured Traefik to redirect everything from the HTTP port to the HTTPS port and also changed the scheme from HTTP to HTTPS with the following command line arguments:


This works: every HTTP request is automatically "upgraded" to HTTPS. But the existing connection is upgraded and and the client is not forced to create a new connection.

Traefik is deployed in Kubernetes behind a LoadBalancer.

Current behavior:
When an HTTPS request arrives at the LoadBalancer than TLS termination is done and a new TLS connection is created to Traefik. Therefore, the client see the certificate of the LoadBalancer and not Traefik's self-signed certificate.
When an HTTP requests arrives at the LoadBalancer than the request is forwarded to Traefik. Traefik "upgrades" the connection and switches to HTTPS and uses it's self-signed certificate.
=> the client sees Traefik's certificate

Intended behavior:
When an HTTP requests arrives at the LoadBalancer than the request is forwarded to Traefik. Traefik informs the client to use a different port (443) an scheme (HTTPS) and closes the connection. The client creates a new connection with the new port and scheme (HTTPS). The client never sees Traefik's self-signed certificate.

Is such a configuration possible with Traefik? Would using the RedirectScheme middleware solve the problem or does it work the same way as the command line arguments?


I have created a redirectRegex Middleware in order to solve the problem:

kind: Middleware
  labels: ingress-extern
  name: redirect2https-extern
  namespace: infra-routing
    permanent: true
    regex: ^https?\:\/\/([^\/:]+)\:?[0-9]*(.*)$
    replacement: https://${1}${2}

Nevertheless, the regex is quite complex and I am not sure if I have captured all the corner cases...
=> I am curious if anyone has found a simpler solution

I have switched to the RedirectScheme middleware as it provides a even more sophisticated regex :smiley:

kind: Middleware
  name: redirect2https
  namespace: infra-routing
    permanent: true
    port: "443"   # must be a string not an integer
    scheme: https

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.