Redirect Response Sent from API Endpoint behind Traefik is Targeted to HTTP rather than HTTPS

Traefik Traefik v2
1

Hi there,

I'm new to Traefik and I've set up an API serivice in docker behind traefik. Traefik is configured to use Let's Encrypt resolver to automatically deal with the SSL stuff for the hostname of this service so all the clients are talking with this API endpoint in https url e.g. https://xxx and the API service itself (a uvicorn server) is running in non-ssl mode. Everything works fine in normal case.

However, in certain cases, the API endpoint will send out some redirect responses. Those redirect response is targeting to http://xxx which is a different hostname because the API endpoint itself is running in non-ssl mode I guess. The client receiving such a redirect response will not carry the Authorization Header by default because the hostname has changed (from https to http).

I'm wondering what's the conventional practice to make the redirect response sent from service behind traefik to be starting with https. Thank you!

Best

2

The blame/solution/config is usually for you to change on the service.

Some products have configuration for the root url. One I've recently is Sentry.io onprem.
Others like confluence require variables:

ATL_PROXY_NAME: confluence.example.com
 ATL_TOMCAT_SCHEME: https
 ATL_TOMCAT_SECURE: "true"

Some will just work out of the box.

For our own API I tell our developer not to worry about the scheme, just the paths.

3

The specific API service I'm using is FastAPI. I noticed that I've never configured the hostname anywhere so I guess the redirect response is just tweaking the path. This let me recall that when traefik router is talking with the services, Traefik will terminate the SSL connections as said in the documentation. Probably the request from router to my service is tweaked to be http://xxx from the original https one sent by the client to traefik i.e. https://xxx. And thus the redirect response is on top of http://xxx. Is my understanding correct here?

As for fastapi's configuration on this, the only thing I found is set a root_path but no settings for root_url. I'm still confirming on that side but I feel it's likely to be not doable. Is there any other way out?

4

I feel this is something very common. Could anyone help on me?

5

I would really appreciate it if anyone here could help. Thank you in advance. I'm super bothered with this!

6

I had the same issue with FastAPI. The redirects happen if the URL on the path does / doesn’t include a slash (although this behaviour should have been fixed in a recent FastAPI release).

The way I fixed it was to add a trailing slash to the end of the route the in the FastAPI router followed by a “?” to indicate it’s optional so that the path is correctly matched and a redirect won’t happen e.g. https://base-path/home/?

Hopefully that works for you!

1 Like
7

Thanks for your response. Unfortunately I have long been noticed this workaround however it has two critical disadvantages:

  1. It does not solve the problem of some other redirect response thrown by us on purpose
  2. Even though the above can be solved with some more efforts, this "/?" route path is no longer supported since April.20 version of fastapi and starlette.
    So unfortunately this can't be a long-term, and complete workaround.