HTTP to HTTPS redirect does not enforce the client to create a new connection

BernhardBerbuir · July 14, 2022, 9:28am

Hi,
I have configured Traefik to redirect everything from the HTTP port to the HTTPS port and also changed the scheme from HTTP to HTTPS with the following command line arguments:

--entrypoints.intern-secure.address=:8443/tcp
--entrypoints.intern-secure.http.tls=true
--entrypoints.intern-web.address=:8000/tcp
--entrypoints.intern-web.http.redirections.entryPoint.scheme=https
--entrypoints.intern-web.http.redirections.entryPoint.to=:443
--entrypoints.traefik.address=:9000/tcp
--providers.kubernetescrd
--providers.kubernetesingress

This works: every HTTP request is automatically "upgraded" to HTTPS. But the existing connection is upgraded and and the client is not forced to create a new connection.

Traefik is deployed in Kubernetes behind a LoadBalancer.

Current behavior:
When an HTTPS request arrives at the LoadBalancer than TLS termination is done and a new TLS connection is created to Traefik. Therefore, the client see the certificate of the LoadBalancer and not Traefik's self-signed certificate.
When an HTTP requests arrives at the LoadBalancer than the request is forwarded to Traefik. Traefik "upgrades" the connection and switches to HTTPS and uses it's self-signed certificate.
=> the client sees Traefik's certificate

Intended behavior:
When an HTTP requests arrives at the LoadBalancer than the request is forwarded to Traefik. Traefik informs the client to use a different port (443) an scheme (HTTPS) and closes the connection. The client creates a new connection with the new port and scheme (HTTPS). The client never sees Traefik's self-signed certificate.

Is such a configuration possible with Traefik? Would using the RedirectScheme middleware solve the problem or does it work the same way as the command line arguments?

Regards
Bernhard

BernhardBerbuir · July 18, 2022, 8:03am

I have created a redirectRegex Middleware in order to solve the problem:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  labels:
    kubernetes.io/ingress.class: ingress-extern
  name: redirect2https-extern
  namespace: infra-routing
spec:
  redirectRegex:
    permanent: true
    regex: ^https?\:\/\/([^\/:]+)\:?[0-9]*(.*)$
    replacement: https://${1}${2}

Nevertheless, the regex is quite complex and I am not sure if I have captured all the corner cases...
=> I am curious if anyone has found a simpler solution

BernhardBerbuir · July 21, 2022, 7:36am

I have switched to the RedirectScheme middleware as it provides a even more sophisticated regex

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect2https
  namespace: infra-routing
spec:
  redirectScheme:
    permanent: true
    port: "443"   # must be a string not an integer
    scheme: https

system · July 24, 2022, 7:37am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[SOLVED] HTTP to HTTPS redirect ends in an https url with 8443 appended Traefik v2 kubernetes-ingress	6	5186	May 21, 2021
Questions about the redirect from http to https Traefik v2 kubernetes-ingress , middleware	0	485	August 15, 2022
Http to https redirection through middlewares does not work unless globally enforced Traefik v2 docker , kubernetes-ingress , middleware	13	7363	July 24, 2023
Traefik v2.1 Configuration for HTTPs support with Kubernetes Ingress Traefik v2 kubernetes-ingress	0	672	January 17, 2020
Http to https redirection on K8S Ingress Traefik v2 kubernetes-ingress	17	28042	December 3, 2020

HTTP to HTTPS redirect does not enforce the client to create a new connection

Related topics