Hi,
I have the following traefik.yml file:
---
providers:
file:
filename: /etc/traefik/traefik.yml
log:
level: debug
api:
dashboard: True
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
metrics:
address: "127.0.0.1:8082"
metrics:
prometheus:
entryPoint: metrics
accessLog: {}
http:
routers:
prometheus-router:
rule: "PathPrefix(`/prometheus`)"
service: prometheus
entryPoints:
- web
- web-secure
middlewares:
- https-redirect
tls: {}
grafana-router:
rule: "PathPrefix(`/grafana`)"
service: grafana
entryPoints:
- web
- web-secure
middlewares:
- https-redirect
tls: {}
api:
rule: "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
service: api@internal
entryPoints:
- web
- web-secure
middlewares:
- https-redirect
tls: {}
middlewares:
https-redirect:
redirectScheme:
scheme: https
permanent: true
port: 443
services:
prometheus:
loadBalancer:
servers:
- url: "http://127.0.0.1:9090/"
grafana:
loadBalancer:
servers:
- url: "http://127.0.0.1:3000/"
tls:
certificates:
- certFile: /etc/traefik/censored.cert
keyFile: /etc/traefik/censored.key
The HTTPS redirect doesn't work. Anyone an idea?
When I do curl -vL censored
* Trying xxx.xxx.xxx.xxx:80...
* TCP_NODELAY set
* Connected to censored (xxx.xxx.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: censored
> User-Agent: curl/7.66.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 404 Not Found
< Content-Type: text/plain; charset=utf-8
< X-Content-Type-Options: nosniff
< Date: Mon, 04 Nov 2019 15:08:25 GMT
< Content-Length: 19
<
404 page not found
* Connection #0 to host censored left intact
When I visit the page with HTTPS directly on port 443 everything works as expected.
Ok looks like the solution is to add two routers: One for the HTTP traffic as entrypoint and one for the HTTPS traffic to serve the actual application.
For example for prometheus:
http:
routers:
prometheus-router:
rule: "PathPrefix(`/prometheus`)"
service: prometheus
entryPoints:
- web
middlewares:
- https-redirect
prometheus-router-secure:
rule: "PathPrefix(`/prometheus`)"
service: prometheus
entryPoints:
- web-secure
tls: {}
My follow-up question is: Is there a more simple way to write this? It looks pretty bloated for me, why do I need to have 2 routers just for a god damn redirect? It would be so much cooler if we could just write it like this:
http:
routers:
prometheus-router:
rule: "PathPrefix(`/prometheus`)"
service: prometheus
entryPoints:
- web
- web-secure
middlewares:
- https-redirect
tls: {}
So I came to the following solution now:
http:
routers:
common:
rule: "Host(`censored`)"
entryPoints:
- web
middlewares:
- https-redirect
prometheus-router:
rule: "PathPrefix(`/prometheus`)"
service: prometheus
entryPoints:
- web-secure
tls: {}
grafana-router:
rule: "PathPrefix(`/grafana`)"
service: grafana
entryPoints:
- web-secure
tls: {}
api:
rule: "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
service: api@internal
entryPoints:
- web-secure
tls: {}
But now I have the problem that no redirect will happen for the api router.. grafana and prometheus are working fine, the api router just works when I go to https:///dashboard/ directly..
1 Like
Also, if I try to connect to http://<censored>/grafana/?orgId=1 directly it will not work due to the ?orgId=1 in the Path, I guess. Shouldn't that part just be passed on to the router? or do I need to use Regex in my PathPrefix Rule?
Ok, interesting.
Looks like one issue has been the missing service in the common router. When I attach any service to it, it works as expected for grafana and prometheus. It also seems to work for the dashboard. The only thing what is missing now is a working dashboard redirect to /dashboard/
Here is my full traefik.yml now:
---
providers:
file:
filename: /etc/traefik/traefik.yml
log:
level: debug
api:
dashboard: True
entryPoints:
web:
address: ":80"
web-secure:
address: ":443"
metrics:
address: "127.0.0.1:8082"
metrics:
prometheus:
entryPoint: metrics
accessLog: {}
http:
routers:
common:
rule: "Host(`censored`)"
service: prometheus
entryPoints:
- web
middlewares:
- https-redirect
prometheus-router:
rule: "PathPrefix(`/prometheus`)"
service: prometheus
entryPoints:
- web-secure
tls: {}
grafana-router:
rule: "PathPrefix(`/grafana`)"
service: grafana
entryPoints:
- web-secure
tls: {}
api-router:
rule: "PathPrefix(`/api`) || PathPrefix(`/dashboard`)"
service: api@internal
entryPoints:
- web-secure
tls: {}
middlewares:
https-redirect:
redirectScheme:
scheme: https
permanent: true
port: 443
services:
prometheus:
loadBalancer:
servers:
- url: "http://127.0.0.1:9090/"
grafana:
loadBalancer:
servers:
- url: "http://127.0.0.1:3000/"
tls:
certificates:
- certFile: /etc/traefik/censored.cert
keyFile: /etc/traefik/censored.key
What I strongly dislike is the need for a service in the common-router and that the dashboard will only appear on /dashboard/. Would be cool if I could get forwarded to /dashboard/. But the latter is just nut picking.. I think I will open a Bug report for the needed service.. I think it's unnecessary and it should be possible to define a router without a service just for redirecting or routing to another router..