Kubernetes Traefik to an external resource: forward https not working

urbaman · July 20, 2023, 3:39pm

Hi,

This is my situation: I have an external webapp I want to expose with Traefik from Kubernetes.
The webapp listens on WEBAPPIP:1311 (it's Dell's Openmanage), and does not do automatic http-https redirection: if I navigate to http://WEBAPPIP:1311 it gives an error, if I navigate to https://WEBAPPIP:1311 it responds (with insecure selfsigned ssl cert, ok).

I'd like to proxy to that https://WEBAPPIP:1311 endpoint from kubernetes through traefik, terminating the ssl on traefik and forwarding to the https endpont with insecureSkipVerify: true due to the selfsigned ssl cert on the final host.
So, I created an endpoint and a service, then the traefik stuff (cert, middlewares, ingressroutes).
Result: if I navigate to https://webapp.domain.com, the http-https redirect and the ssl work (the site results secure), but I receive the same error as if I contacted plain http://WEBAPPIP:1311, as if during its path the request went from https to http.
Many otner times on many other external resources (say, the Dell IDRAC of the same server) the thing works flawlessly, probably because the external resource does http-https redirect on itself, but not this time.

So, is there a way to properly keep the https throughout the request path from traefik, the service and the endpont to the final resource to expose?

Following are my kubernetes settings:

apiVersion: v1
kind: Endpoints
metadata:
  name: openmanage1-service
  namespace: traefik-external
  labels:
    app: openmanage1
subsets:
- addresses:
  - ip: 10.0.100.11
    nodeName: openmanage1
  ports:
  - name: openmanage1
    port: 1311
    protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
  name: openmanage1-service
  labels:
    app: openmanage1
  namespace: traefik-external
spec:
  type: ClusterIP
  clusterIP: None
  ports:
  - name: openmanage1
    port: 433
    targetPort: 1311
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: openmanage1-domain
  namespace: traefik-external
spec:
  # Certificate will be valid for these domain names
  dnsNames:
  - webapp.domain.com
  # Reference our issuer
  # As it's a ClusterIssuer, it can be in a different namespace
  issuerRef:
    kind: ClusterIssuer
    name: cert-manager-acme-issuer
  # Secret that will be created with our certificate and private keys
  secretName: openmanage1-domain
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-openmanage1-https-redirect
  namespace: traefik-external
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: traefik-openmanage1-security
  namespace: traefik-external
spec:
  headers:
    frameDeny: true
    sslRedirect: true
    browserXssFilter: true
    contentTypeNosniff: true
    stsIncludeSubdomains: true
    stsPreload: true
    stsSeconds: 31536000
    customRequestHeaders:
      X-Forwarded-Proto: https
---
apiVersion: traefik.io/v1alpha1
kind: ServersTransport
metadata:
  name: traefik-openmanage1-transport
  namespace: traefik-external
spec:
  serverName: traefik
  insecureSkipVerify: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSOption
metadata:
  name: traefik-openmanage1-tlsoptions
  namespace: traefik-external
spec:
  minVersion: VersionTLS12
  cipherSuites:
    - TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
    - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
    - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
    - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
    - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
    - TLS_AES_256_GCM_SHA384
    - TLS_AES_128_GCM_SHA256
    - TLS_CHACHA20_POLY1305_SHA256
    - TLS_FALLBACK_SCSV
  curvePreferences:
    - CurveP521
    - CurveP384
  sniStrict: false
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-openmanage1-websecure
  namespace: traefik-external
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`webapp.domain.com`)
      services:
        - name: openmanage1-service
          port: 433
          serversTransport: traefik-openmanage1-transport
          passHostHeader: true
      middlewares:
        - name: traefik-openmanage1-security
  tls:
    secretName: openmanage1-domain
    options:
      name: traefik-openmanage1-tlsoptions
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-openmanage1-web
  namespace: traefik-external
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`webapp.domain.com`)
      services:
        - name: openmanage1-service
          port: 433
      middlewares:
        - name: traefik-openmanage1-https-redirect

Topic		Replies	Views
Forwarding to https backend fails with ingress Traefik v1 kubernetes-ingress , letsencrypt-acme	2	4214	October 22, 2022
[SOLVED] HTTP to HTTPS redirect ends in an https url with 8443 appended Traefik v2 kubernetes-ingress	6	5251	May 21, 2021
Traefik v2.1 Configuration for HTTPs support with Kubernetes Ingress Traefik v2 kubernetes-ingress	0	676	January 17, 2020
How to route http requests to a https service Traefik v2 kubernetes-crd	5	1664	August 18, 2022
Terminate TLS and forward new HTTPS request Traefik v2 kubernetes-ingress , middleware	1	512	November 30, 2020

Kubernetes Traefik to an external resource: forward https not working

Related topics