Problem with http -> https redirection

Hey guys sorry for posting on a subject that has been discussed previously. I have just upgraded from 1.7 to 2.0.

http->https redirect isn't working and I can't for the life of me figure out why.
This stack also contains auth0 for authentication.

I will post the relevant ymls here, file name is in the comment:

#traefik.yml
version: "3.4"

secrets:
  cf_api_key:
    file: "/share/appdata/config/secrets/cf_api_key.secret"

#configs:
#  auth-application.yaml:
#    file: /share/Docker/config/traefik/application.yaml

services:
  app:
    image: "traefik:latest"
    secrets:
      - cf_api_key
    environment:
      - CF_API_EMAIL=EMAIL
      - CF_API_KEY_FILE=/run/secrets/cf_api_key
    networks:
      - traefik_public
    ports:
      - "80:80"
      - "443:443"
      - "8090:8080"
    volumes:
#       - "/etc/timezone:/etc/timezone:ro"
       - /var/run/docker.sock:/var/run/docker.sock:ro
       - /share/appdata/config/traefik:/etc/traefik
       - /share/appdata/config/traefik/acme.json:/etc/traefik/acme.json
    environment:
      - "TZ=Europe/Stockholm"
      - PUID=1000
      - PGID=100
    command: --configFile=/etc/traefik/traefik-static.yaml
    deploy:
      placement:
        constraints: [node.role == manager]
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik.entrypoints=https"        
        - "traefik.http.routers.traefik.rule=Host(`traefik.MY.URL`) || (Host(`MY.URL`) && Path(`/traefik`))"
        - "traefik.http.routers.traefik.tls.certresolver=cloudflare"
        - "traefik.http.routers.traefik.middlewares=forward-auth@file"        
        - "traefik.http.services.traefik.loadbalancer.server.port=8080"                   

  auth:
    image: "dniel/forwardauth:latest"
    networks:
      - traefik_public
    ports:
      - 8080:8080
    volumes:
      - /share/appdata/config/traefik/application.yaml:/config/application.yaml
    environment:
      - "TZ=Europe/Stockholm"
    deploy:
      resources:
        limits:
          memory: 512M
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 3                   
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.auth.entrypoints=https"
        - "traefik.http.routers.auth.rule=Host(`auth.MY.URL`)"
        - "traefik.http.routers.auth.tls.certresolver=cloudflare"             
        - "traefik.http.routers.auth.middlewares=forward-auth@file"         
        - "traefik.http.services.auth.loadbalancer.server.port=8080"
        
  whoami:
    image: containous/whoami
    networks:
      - traefik_public
    environment:
      - "TZ=Europe/Stockholm"    
    deploy:
      resources:
        limits:             
          memory: 512M 
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 3                  
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.whoami.entrypoints=https"
        - "traefik.http.routers.whoami.rule=Host(`whoami.MY.URL`)"
        - "traefik.http.routers.whoami.tls.certresolver=cloudflare"        
        - "traefik.http.routers.whoami.middlewares=forward-auth@file"
        - "traefik.http.services.whoami.loadbalancer.server.port=80"

  www:
    image: "dniel/blogr-www"
    networks:
      - traefik_public
    environment:
      - "TZ=Europe/Stockholm"    
    deploy:
      replicas: 1      
      resources:
        limits:
          memory: 512M  
      restart_policy:
        condition: any
        delay: 5s
        max_attempts: 3                
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.www.entrypoints=https"
        - "traefik.http.routers.www.rule=Host(`www.MY.URL`)"
        - "traefik.http.routers.www.tls.certresolver=cloudflare"        
        - "traefik.http.routers.www.middlewares=forward-auth@file"
        - "traefik.http.services.www.loadbalancer.server.port=80"                      

networks:
  traefik_public:
    external: true

# Traefik Static Configuration
# Host Path: /share/appdata/config/traefik/traefik-static.yaml
# Internal Path: /etc/traefik/traefik-static.yaml

global:
  checkNewVersion: true

serversTransport:
  insecureSkipVerify: true

entryPoints:
  http:
    address: ":80"
    # Trust IPv4 Private Address Space
    forwardedHeaders:
      trustedIPs:
      - "172.16.0.0/12"
      - "10.0.0.0/8"
      - "192.168.0.0/16"

  https:
    address: ":443"
    # Trust IPv4 Private Address Space
    forwardedHeaders:
      trustedIPs:
      - "172.16.0.0/12"
      - "10.0.0.0/8"
      - "192.168.0.0/16"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    # Alternative endpoint:
    # endpoint: "tcp://127.0.0.1:2375"
    watch: true
    swarmMode: true
    network: traefik_public
    # Optional defaultRule: "Host(`{{ .Name }}.localhost`)"
    useBindPortIP: false
    exposedByDefault: false

  file:
    # Optional instead of directory: 
    # filename: /etc/traefik/traefik-dynamic.yaml
    directory: /etc/traefik/dynamic
    watch: true
    debugLogGeneratedTemplate: true

api:
  dashboard: true
  insecure: true
  debug: true

metrics:
  prometheus:
    buckets:
    - "0.1"
    - "0.3"
    - "1.2"
    - "5"
    addEntryPointsLabels: true
    addServicesLabels: true
    entryPoint: metrics

ping:
  entryPoint: ping

log:
  level: DEBUG
  filePath: "/etc/traefik/traefik.log"

accessLog:
  filePath: "/etc/traefik/access.log"

certificatesResolvers:
  cloudflare:
    acme:
      email: "EMAIL"
      storage: "/etc/traefik/acme.json"
      dnsChallenge:
        provider: cloudflare
        resolvers:
        - "1.1.1.1:53"
        - "8.8.8.8:53"

I also have a dynamic folder with some relevant ymls:

# Traefik Dynamic Configuration
# Middleware: Forward Auth
# Internal Path: /etc/traefik/dynamic/forward-auth.yaml

http:
  middlewares:
    forward-auth:
      forwardAuth:
        address: "http://192.168.1.13:8080/authorize"
        trustForwardHeader: true
        authResponseHeaders:
          - X-FORWARDAUTH-NAME
          - X-FORWARDAUTH-SUB
          - X-FORWARDAUTH-EMAIL

# Traefik Dynamic Configuration
# Middleware: Forward Auth
# Host Path: /share/appdata/config/traefik/dynamic/forward-auth.yaml
# Internal Path: /etc/traefik/dynamic/forward-auth.yaml

http:
  middlewares:
    forward-auth:
      forwardAuth:
        address: "http://192.168.1.13:8080/authorize"
        trustForwardHeader: true
        authResponseHeaders:
          - X-FORWARDAUTH-NAME
          - X-FORWARDAUTH-SUB
          - X-FORWARDAUTH-EMAIL

# Traefik Dynamic Configuration
# Routers: Global HTTP -> HTTPS Redirect
# Host Path: /share/appdata/config/traefik/dynamic/globalredirect.yaml
# Internal Path: /etc/traefik/dynamic/globalredirect.yaml

http:
  routers:
    https-redirect:
      entryPoints:
        - http
      middlewares:
        - https-redirect
      rule: "HostRegexp(`{host:[a-z-.]+}`)"
      priority: 10
      service: noop

# Traefik Dynamic Configuration
# Middleware: HTTPS Redirect
# Internal Path: /etc/traefik/dynamic/https-redirect.yaml

http:
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https

# Traefik Dynamic Configuration
# Middleware: Secured Chain (Testing)
# Internal Path: /etc/traefik/dynamic/secured-chain.yaml

http:
  middlewares:
    secured:
      chain:
        middlewares:
          - https-redirect
          - forward-auth

Thanks for the help!

Hello,

After a quick review, I detected some mistakes.

In the static configuration file

The option debugLogGeneratedTemplate don't exist in v2 because there are no templates.

The API configuration must be change:

replace:

api:
  dashboard: true
  insecure: true
  debug: true

by

api: {}

The dashboard is true by default and I strongly advice against using insecure mode

labels:
  traefik.enable: true
  
  traefik.http.routers.traefik.entrypoints: https
  traefik.http.routers.traefik.rule: Host(`traefik.MY.URL`)
  traefik.http.routers.traefik.tls.certresolver: cloudflare
  traefik.http.routers.traefik.service: api@internal
  traefik.http.routers.traefik.middlewares: forward-auth@file

  traefik.http.services.traefik.loadbalancer.server.port: 9999 # noop require by swarm

• https://docs.traefik.io/v2.1/operations/dashboard/#secure-mode

The ping use a non-existing entry point, so try:

ping: {}

In this case the ping will the traefik entry point (port 8080).

• https://docs.traefik.io/v2.1/operations/ping/

In dynamic files

The global redirection:

http:
  routers:
    redirecttohttps:
      entryPoints:
        - web
      middlewares:
        - httpsredirect
      rule: "HostRegexp(`{host:.+}`)"
      service: noop

  services:
    # noop service, the URL will be never called
    noop:
      loadBalancer:
        servers:
          - url: "http://192.168.0.1"

  middlewares:
    httpsredirect:
      redirectScheme:
        scheme: https

In the secured chain: the middleware redirectScheme is "terminal", so I recommend to not add it with another middleware.

Recommend read

• Global http to https redirect in v2
• https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d
• https://github.com/containous/blog-posts/tree/master/2019_09_10-101_docker

Also I recommend to migrate step by step, and take a look to your logs and the dashboard to get more information.