(Potential) problems by letting Traefik handle https and using http to the backend

Traefik Traefik v2
,
1

Hello,

I'm running some applications on Docker behind Traefik, mostly PHP apps, where Traefik handles the complete TLS termination with the Let's Encrypt integration. The local traffic between Traefik and Nginx is unencrypted, so the complete certificate/key process is centralized and automated.

While this basically works, I already had to apply some workarounds on the application level, because the applications think they run on http instead of https. For example, setting $_SERVER["HTTPS"] = "on" to avoid endless redirect loops to https.

This goes something deeper: When I call https m\ydomain.com/app, Nginx by default redirects to a trailing slash, which means /app/ instead of /app. But because Nginx is running on port 80, it redirects to http m\ydomain.com/app/, which itself redirects to the https url https m\ydomain.com/app/ since I have configured Traefik to redirect any http calls to https. So we have a lot of redirections, each of them increase the loading time. It seems that this cannot be fixed simply, since the $https variable is internal and cannot be simply overriden like I do in WP.

(I placed backspaces in the example urls because otherwise they would be recognized as link, which I don't need and the links are limited to 4 per posts for new users).

And I also noticed that Traefik supports HTTP 2.0, but it requires HTTPS. So Traefik has to use HTTP 1.1 for its communication with Nginx, I guess this will destroy the optimizations of 2.0 since Traefik has to wait for the backend.

What's the proper way to solve this issues?

The only way to cleanly solve those issues I see is to encrypt the communication between Traefik and the backend Nginx. It probably will reduce the performance by re-encrypting the traffic. And there is also the issue of the certificates: Using LE, we need an certbot as well here. Or we use self signed certificates and trust them locally.

Do you have any other/better ideas? Where and how do you terminate TLS in your Traefik setup and why did you choose this place?

2

You are looking for solutions in Traefik for problems caused by nginx and PHP? :face_with_raised_eyebrow:

I would rather work on the root causes and let PHP accept plain http and make nginx not change the path. Maybe switch to Apache?

But it’s an interesting question about http2 if that only works over https/TLS. You could use a custom certificate for the internal connection and try insecureSkipVerify, see post how to use it.

3

It's discussable which component causes the problem. In this example, Nginx behaves correct from its perspective since Nginx assumes that he's serving http, not https. The same argument is true for the WP case. On the other site we can argue, that at the end Nginx/WP causes this problems, like you did. Imho both are valid points, also for HTTP2: Here, the specification even doesn't require HTTPS. In fact, multiple implementations decided to support it only encrypted, also in browsers.

I don't want to blame one of them and I also don't mandatory expect for a solution from Traefik. I mean this in more general, since most applications should have similar problems, also with other reverse proxys. Using self signed certificates and add them to the trust store (or disabling them as alternative like you wrote) is the only way I see, since when there is a https encryption between the reverse proxy and the backend, we're not running in all of those issues. However, this seems not to be a clean solution.

For that reason, I'd like to see how others have solved those issues. Maybe there is something I missed or someone know better solutions, instead of working around the issues and renounce on HTTP/2 in the backend.