HTTPS redirect doesn't work

Traefik Traefik v2
#1

Hi,
I have the following traefik.yml file:

---

providers:
  file:
    filename: /etc/traefik/traefik.yml

log:
  level: debug

api:
  dashboard: True

entryPoints:
  web:
    address: ":80"
  web-secure:
    address: ":443"
  metrics:
    address: "127.0.0.1:8082"

metrics:
  prometheus:
    entryPoint: metrics

accessLog: {}

http:
  routers:
    prometheus-router:
      rule: "PathPrefix(`/prometheus`)"
      service: prometheus
      entryPoints:
        - web
        - web-secure
      middlewares:
        - https-redirect
      tls: {}
    grafana-router:
      rule: "PathPrefix(`/grafana`)"
      service: grafana
      entryPoints:
        - web
        - web-secure
      middlewares:
        - https-redirect
      tls: {}
    api:
      rule: "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
      service: api@internal
      entryPoints:
        - web
        - web-secure
      middlewares:
        - https-redirect
      tls: {}
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true
        port: 443
  services:
    prometheus:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:9090/"
    grafana:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:3000/"

tls:
  certificates:
    - certFile: /etc/traefik/censored.cert
      keyFile: /etc/traefik/censored.key

The HTTPS redirect doesn't work. Anyone an idea?
When I do curl -vL censored

*   Trying xxx.xxx.xxx.xxx:80...
* TCP_NODELAY set
* Connected to censored (xxx.xxx.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: censored
> User-Agent: curl/7.66.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 04 Nov 2019 15:08:25 GMT
< Content-Length: 19
< 
404 page not found
* Connection #0 to host censored left intact

When I visit the page with HTTPS directly on port 443 everything works as expected.

#2

Ok looks like the solution is to add two routers: One for the HTTP traffic as entrypoint and one for the HTTPS traffic to serve the actual application.

For example for prometheus:

http:
  routers:
    prometheus-router:
      rule: "PathPrefix(`/prometheus`)"
      service: prometheus
      entryPoints:
        - web
      middlewares:
        - https-redirect
    prometheus-router-secure:
      rule: "PathPrefix(`/prometheus`)"
      service: prometheus
      entryPoints:
        - web-secure
      tls: {}

My follow-up question is: Is there a more simple way to write this? It looks pretty bloated for me, why do I need to have 2 routers just for a god damn redirect? It would be so much cooler if we could just write it like this:

http:
  routers:
    prometheus-router:
      rule: "PathPrefix(`/prometheus`)"
      service: prometheus
      entryPoints:
        - web
        - web-secure
      middlewares:
        - https-redirect
      tls: {}
#3

So I came to the following solution now:

http:
  routers:
    common:
      rule: "Host(`censored`)"
      entryPoints:
        - web
      middlewares:
        - https-redirect
    prometheus-router:
      rule: "PathPrefix(`/prometheus`)"
      service: prometheus
      entryPoints:
        - web-secure
      tls: {}
    grafana-router:
      rule: "PathPrefix(`/grafana`)"
      service: grafana
      entryPoints:
        - web-secure
      tls: {}
    api:
      rule: "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
      service: api@internal
      entryPoints:
        - web-secure
      tls: {}

But now I have the problem that no redirect will happen for the api router.. grafana and prometheus are working fine, the api router just works when I go to https:///dashboard/ directly..

1 Like
#4

Also, if I try to connect to http://<censored>/grafana/?orgId=1 directly it will not work due to the ?orgId=1 in the Path, I guess. Shouldn't that part just be passed on to the router? or do I need to use Regex in my PathPrefix Rule?

#5

Ok, interesting.
Looks like one issue has been the missing service in the common router. When I attach any service to it, it works as expected for grafana and prometheus. It also seems to work for the dashboard. The only thing what is missing now is a working dashboard redirect to /dashboard/

#6

Here is my full traefik.yml now:

---

providers:
  file:
    filename: /etc/traefik/traefik.yml

log:
  level: debug

api:
  dashboard: True

entryPoints:
  web:
    address: ":80"
  web-secure:
    address: ":443"
  metrics:
    address: "127.0.0.1:8082"

metrics:
  prometheus:
    entryPoint: metrics

accessLog: {}

http:
  routers:
    common:
      rule: "Host(`censored`)"
      service: prometheus
      entryPoints:
        - web
      middlewares:
        - https-redirect
    prometheus-router:
      rule: "PathPrefix(`/prometheus`)"
      service: prometheus
      entryPoints:
        - web-secure
      tls: {}
    grafana-router:
      rule: "PathPrefix(`/grafana`)"
      service: grafana
      entryPoints:
        - web-secure
      tls: {}
    api-router:
      rule: "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
      service: api@internal
      entryPoints:
        - web-secure
      tls: {}
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https
        permanent: true
        port: 443
  services:
    prometheus:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:9090/"
    grafana:
      loadBalancer:
        servers:
          - url: "http://127.0.0.1:3000/"

tls:
  certificates:
    - certFile: /etc/traefik/censored.cert
      keyFile: /etc/traefik/censored.key

What I strongly dislike is the need for a service in the common-router and that the dashboard will only appear on /dashboard/. Would be cool if I could get forwarded to /dashboard/. But the latter is just nut picking.. I think I will open a Bug report for the needed service.. I think it's unnecessary and it should be possible to define a router without a service just for redirecting or routing to another router..