Question regarding http to https redirect

Hello, this is my first time trying to use traefik, pretty overwhelmed with the documentation, so i am trying to include in my docker-compose whatever stuffs i need from different tutorials and guides to atleast have a decent enough docker-compose before i start learning/experimenting things.
I specifically want to know what is the ideal way to redirect all http to https ?
In many different guides, i saw the following so i included it in the command section of my docker compose

      - "--entrypoints.web.http.redirections.entrypoint.to=websecure"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"

But after searching a bit more, i came across many different tutorials which had the approach by adding the following to the labels section of traefik in the docker compose

      # global redirect to https
      - 'traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)'
      - 'traefik.http.routers.http-catchall.entrypoints=web'
      - 'traefik.http.routers.http-catchall.middlewares=redirect-to-https'
      - 'traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https'

Q1) Should i have them both in my docker compose or only one of them ? If only one, can someone which one is more preferable ?
Q2) Also how should i enable https redirection for all my target docker services ? i am not sure if the above labels only need to be added to traefik container or each of the container that i want to enable https redirection

Entrypoints are static config, they go in traefik.yml or in command. Routers and services are dynamic config and go in a different file loaded via providers.file or in labels, which are loaded via providers.docker.

Best practice is to use entrypoints, then you don't have to repeat the redirect in every router, see simple Traefik example.

1 Like

Thanks for the reply, Sorry if i understand some technical terms wrongly
Just so i am understanding this correctly, if i have those 3 lines in my command section of traefik, I don't need to have anything for https redirection in all of my different docker services that i want to reverse proxy

And if i go follow the approach of dynamic config, then i would need to add those 4 lines in each of my docker service's label where i need https redirection

Yes, that is correct.

That's sweet. On another note, i find myself adding these two lines to the label section of each of my docker container

'traefik.http.routers.service.tls=true' 
'traefik.http.routers.service.entrypoints=websecure'

Is there a static configuration alternative for these two so that i can directly add these in the command section of traefik and remove it from label section of each of the docker container

TLS yes, see simple Traefik example, which I linked above (link again).

Entrypoints only from v3, which is still in beta, see same example:

entrypoints.websecure.asDefault=true

I am not quite sure which line in the docker-compose you linked is for tls - https://github.com/bluepuma77/traefik-best-practice/blob/main/docker-traefik-dashboard-letsencrypt/docker-compose.yml

I read somewhere that below is the static configuration for tls but i couldn't find this line in your config, bit confused

"--entrypoints.websecure.http.tls=true"

If you want static TLS, then use the line instead of certresolver.

Traefik documentation is your friend (1, 2).

Understood, thanks just one last question
I have set up a wildcard certificate using cloudflare dns challenge

So accordingly all of the guides i saw mentioned to put the following in labels section of each docker container

- "traefik.http.routers.service.tls.certresolver=cloudflare"

But i already have the following in my traefik command entrypoint

- "--entrypoints.websecure.http.tls.certresolver=cloudflare"

So just wanted to confirm that I don't need the http.routers thing in all of the labels right ?

Yes, the TLS in entrypoint can globally replace the repeated TLS in router.

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.