Redirect entrypoint to websecure except to the ip

Robin · September 11, 2025, 8:44am

Hello,

We have a Traefik that redirects to websecure scheme https permanent, but the issue is that the ip address is also redirected to https with an invalid default traefik certificate

My question is, how to prevent that?

Is it possible to drop any visit to a website by IP and only allow by domain?

bluepuma77 · September 11, 2025, 9:20am

If you want to redirect only requests to your correct domain to https, then you need to remove the redirect on entrypoint and instead create a redirect middleware on your router (doc). Don’t forget to assign the middleware to the router.

Alternatively you can also use your own default TLS cert or create a default one with LetsEncrypt. But then you reveal a domain to direct IP access requests.

Robin · September 11, 2025, 9:37am

Is it possible to, in place of the default Traefik cert, provide the Let's Encrypt generated cert for the ip also ?

bluepuma77 · September 11, 2025, 10:03am

Yes, configure a default cert via LetsEncrypt (doc).

But note that a browser will probably show an error, as the cert domain does not match "IP".

Robin · September 11, 2025, 11:42am

ok but I dont understand the part “myresolver”.

My traefik.yml looks like :

certificatesResolvers:
  http:
    acme:
      email: "azazza@zaza.zazaz"
      storage: "/certs/acme.json"
      httpdChallenge:
        entryPoint: web

so which value I put for “myresolver” in the code below ?

tls:
  stores:
    default:
      defaultGeneratedCert:
        resolver: myresolver
        domain:
          main: example.org
          sans:
            - foo.example.org
            - bar.example.org

Regards,

bluepuma77 · September 11, 2025, 12:34pm

Maybe check the example (doc):

entryPoints:
  web:
    address: ":80"

  websecure:
    address: ":443"

certificatesResolvers:
  myresolver:
  ^ this is the name you give to the resolver
    similar to routers, middlewares and services

    acme:
      email: your-email@example.com
      storage: acme.json
      httpChallenge:
        # used during the challenge
        entryPoint: web

Robin · September 12, 2025, 12:19pm

Seems not working, when I visit the website by ip , I see the default Traefik cert, not the ssl for the domain itself….

bluepuma77 · September 12, 2025, 7:33pm

Enable and check Traefik debug log (doc).

Make sure tls section is in a dynamic config file, which is loaded via providers.file in static config.

Robin · September 15, 2025, 7:29am

It seems to be working, visit the site by domain or ip gives me the cert generated for the domain, but in the logs I see this:

2025-09-15T07:11:08Z ERR Error while creating certificate store error="unable to find certificate for domains \"foo.bar\": falling back to the internal generated certificate" tlsStoreName=default

And I don’t have any idea what it means ?

Is it normal?

Topic		Replies	Views
Serve Let Encrypt Cert on IP address (not default cert) Traefik v2 file , letsencrypt-acme	6	939	February 2, 2024
Public IP redirect Traefik v2 docker	1	42	September 16, 2024
The IP of my domain does not redirect to my domain Traefik v2 docker	4	2262	May 1, 2021
Configuring TLS only on entrypoint and not on router Traefik v3 (latest) docker , letsencrypt-acme	2	60	October 18, 2025
Redirect from non-www to www not working Traefik v3 (latest) docker , middleware	2	184	January 9, 2025

Redirect entrypoint to websecure except to the ip

Related topics