I'm running some applications on Docker behind Traefik, mostly PHP apps, where Traefik handles the complete TLS termination with the Let's Encrypt integration. The local traffic between Traefik and Nginx is unencrypted, so the complete certificate/key process is centralized and automated.
While this basically works, I already had to apply some workarounds on the application level, because the applications think they run on http instead of https. For example, setting
$_SERVER["HTTPS"] = "on" to avoid endless redirect loops to https.
This goes something deeper: When I call https m\ydomain.com/app, Nginx by default redirects to a trailing slash, which means /app/ instead of /app. But because Nginx is running on port 80, it redirects to http m\ydomain.com/app/, which itself redirects to the https url https m\ydomain.com/app/ since I have configured Traefik to redirect any http calls to https. So we have a lot of redirections, each of them increase the loading time. It seems that this cannot be fixed simply, since the
$https variable is internal and cannot be simply overriden like I do in WP.
(I placed backspaces in the example urls because otherwise they would be recognized as link, which I don't need and the links are limited to 4 per posts for new users).
And I also noticed that Traefik supports HTTP 2.0, but it requires HTTPS. So Traefik has to use HTTP 1.1 for its communication with Nginx, I guess this will destroy the optimizations of 2.0 since Traefik has to wait for the backend.
The only way to cleanly solve those issues I see is to encrypt the communication between Traefik and the backend Nginx. It probably will reduce the performance by re-encrypting the traffic. And there is also the issue of the certificates: Using LE, we need an certbot as well here. Or we use self signed certificates and trust them locally.
Do you have any other/better ideas? Where and how do you terminate TLS in your Traefik setup and why did you choose this place?