IngressRoute redirect doesn't work

I have setup following IngressRoute for default path and wp-*

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: external-1
  namespace: marketing
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`example.com`) || Host(`www.example.com`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
      middlewares:
        - name: https-redirect
  tls:
    secretName: prod-cert
---

and

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: wp-admin-1
  namespace: marketing
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`example.com`) || Host(`www.example.com`) && PathPrefix(`/wp-login.php`,`/wp-login.php/`, `/wp-admin/`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
      middlewares:
        - name: secured-restricted
  tls:
    secretName: prod-cert

---
Middleware
---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: secured-restricted
  namespace: marketing
spec:
  chain:
    middlewares:
    - name: https-redirect
    - name: permited-ips

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: https-redirect
  namespace: marketing
spec:
  redirectScheme:
    scheme: https
    permanent: true

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: permited-ips
  namespace: marketing
spec:
  ipWhiteList:
    sourceRange:
    - #.#.#.#/28

---

https://www.example.com works
https://example.com I get Forbidden
https://example.com works only when I try to access it from whitelisted IP (#.#.#.#/28)
So looks like external-1 IngressRoute is not getting hit.

What is wrong with this setup ?

Hello @rp346

Would you please set priority on the external-1 e.g. priority: 100

Seems that the router external-1 is overlapped by wp-admin-1. Please note that Traefik is calculating the priority by the length of the matching rule.

Let us know the results of your testing.

1 Like

I set priority: 100 for external-1 but nothing changed. then set priority: 100 for external-1 & priority: 10 for wp-admin-1, this worked.

But now www.example.com/wp-login.php doesn't comply with restricted IPs. So looks like wp-admin-1 IngressRoute is not getting hit.

Splitting the rules in following way fixed the issue.

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: external-1
  namespace: marketing
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`example.com`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
    - match: Host(`www.example.com`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
      middlewares:
        - name: https-redirect
  tls:
    secretName: prod-cert
---

and

---

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: wp-admin-1
  namespace: marketing
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`example.com`) && PathPrefix(`/wp-login.php`,`/wp-login.php/`, `/wp-admin/`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
    - match: Host(`www.example.com`) && PathPrefix(`/wp-login.php`,`/wp-login.php/`, `/wp-admin/`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
      middlewares:
        - name: secured-restricted
  tls:
    secretName: prod-cert

---

Traefik Routers Priority document helped.

1 Like