Redirect / to /web while preserving "external" scheme

I have recently migrated from traefik 1.7 to traefik 2.4, and one of the rules I had became this middleware rule:

        regex: ^http(s)?://([^/]+)/?$
        replacement: http$1://$2/web

I know that with traefik 2.x, HTTPS/TLS is abstracted away from most rules. This rule works well if there is no TLS offloading done ahead of traefik, but it will unfortunately redirect "hxxps://" to "hxxp://" if traefik is not handling HTTPS itself.

The same rule used to work in traefik 1.7 even with a reverse proxy in front of it, so I can only assume that it could somehow know that even if the request came through "hxxp://localhost:4000" from traefik's point of view, if the client used "" it would be able to use that instead. All our services use "passHostHeader: true" to ensure that if the host is "" then it is what we see in traefik, not localhost or the internal IP.

Is there a configuration option similar to passHostHeader that would let me write a rule that can know which "external" scheme has been used externally? Otherwise I will have to make a lot more rules to handle the generic case of "if you hit /, redirect to /web using the same external host and scheme".


P.S.: I used hxxp/hxxps because the site wouldn't let me write a post with more than 4 links in it

Hello @awakecoding,

I'm a little unclear what you are wanting to achieve.

The passHostHeader configuration (Services - Traefik) is used to confirm that incoming request host headers should be copied over to the proxied requests, instead of using the same host as the proxied host. This doesn't change what Traefik "sees" or not.

In regards to redirection, If you want to enforce http->https redirection, this has to be done on the appliance or application that terminates TLS. Attempting to do so anywhere else will cause issues, as the X-forwarded headers are not a replacement for crypto trust.

Does that make sense?

Hi Daniel,

I understand what you are suggesting, but it isn't the same thing. Regardless of https/http being handled in traefik, I'd like to know if the request from the client originally came in from https or http. For instance, with TLS offloading done in front of traefik, I would like to know that "" was used instead of "" which is what I'd have using passHostHeader=true. The host header only includes the host as seen by the client, but there doesn't seem to be a simple way to do a "passHostScheme". I'm not sure how traefik 1.7 did it, but it appeared to be able to tell the difference. Am I making sense?

Hello @awakecoding,

I think what you are looking for is the X-Forwarded-Proto header (X-Forwarded-Proto - HTTP | MDN). Most proxies (Traefik included) add this header when terminating the connection, so that the original protocol is preserved and passed downstream.

Thanks, I added a forwardedHeaders section to my configuration, and now it works!