Redirection to wrong port/certificate

Traefik Traefik v2
,
1

Hello community! I'm trying to configure a weird setup. Server hosts an Apache server that listens on 80 and 443 (random.domain). Traefik listens on 65000 (HTTP) and 65001 (HTTPS) for a different domain (subdomain.random.domain and some.random.domain). Traefik dashboard listens on localhost:65002.

The issue I have is that when I make a request for http://subdomain.random.domain:65000 or http://some.random.domain:65000 redirection to HTTPS indeed takes place, however I'm presented with the certificate that Apache serves for https://random.domain. I'm not sure why this happens but it looks like Traefik when redirecting to HTTPS routes traffic to localhost:443 instead of Traefik's entrypoint (443).

Would appreciate if anyone could point me to the right direction.

This is my configuration:

traefik.toml

[entryPoints]
  [entryPoints.dashboard]
    address = ":9090"
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entryPoint]
          to = "websecure"
          scheme = "https"
  [entryPoints.websecure]
    address = ":443"

[api]
  dashboard = true

[providers]
  [providers.file]
    directory = "/dynconf"
    watch = true
  [providers.docker]
    endpoint = "unix:///var/run/docker.sock"
    network = "traefik_network"
    exposedByDefault = false

docker-compose.yml

version: '3.7'
services:
  # traefik service
  traefik:
    image: "traefik:v2.2"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.to-dashboard.rule=Host(`dashboard.local`)"
      - "traefik.http.routers.to-dashboard.entrypoints=dashboard"
      - "traefik.http.routers.to-dashboard.middlewares=auth"
      - "traefik.http.routers.to-dashboard.service=api@internal"
      - "traefik.http.middlewares.auth.basicauth.users=admin:<PASSWORD>"

    container_name: "traefik"
    ports:
      - "65000:80"
      - "65001:443"
      - "127.0.0.1:65002:9090"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "/home/traefik/traefik.toml:/traefik.toml:ro"
      - "/home/traefik/letsencrypt/acme.json:/acme.json"
      - "/home/traefik/dynconf/dyn.toml:/dynconf/dyn.toml"
      - "/home/traefik/certs/:/certs/"

  httpecho:
    image: "hashicorp/http-echo"
    container_name: "httpecho"
    command: "-text='hello world!'"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.to-httpecho.rule=Host(`subdomain.random.domain`)"
      - "traefik.http.routers.to-httpecho.entrypoints=web"
      - "traefik.http.routers.to-httpecho.middlewares=https_redirect"

      - "traefik.http.routers.to-httpecho-secure.rule=Host(`subdomain.random.domain`)"
      - "traefik.http.routers.to-httpecho-secure.entrypoints=websecure"
      - "traefik.http.routers.to-httpecho-secure.tls=true"

      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.to-whoami.rule=Host(`some.random.domain`)"
      - "traefik.http.routers.to-whoami.entrypoints=web"
      - "traefik.http.routers.to-whoami.middlewares=https_redirect"

      - "traefik.http.routers.to-whoami-secure.rule=Host(`some.random.domain`)"
      - "traefik.http.routers.to-whoami-secure.entrypoints=websecure"
      - "traefik.http.routers.to-whoami-secure.tls=true"

      - "traefik.http.middlewares.https_redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.https_redirect.redirectscheme.permanent=true"

networks:
  default:
    external:
      name: "traefik_network"
2

Hello,

Traefik creates the redirection base on the entry points, your entry points are on 80, 443, and 9090.
Traefik is not aware of your port mappings.

You have to change the entry points ports to 65000 and 65001 and change your ports mappings.

You can also simplify your configuration:

version: '3.7'

services:

  traefik:
    image: traefik:v2.3.1
    container_name: traefik
    ports:
      - 65000:65000
      - 65001:65001
      - 127.0.0.1:65002:65002
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/traefik/letsencrypt/acme.json:/acme.json
      - /home/traefik/dynconf/dyn.toml:/dynconf/dyn.toml
      - /home/traefik/certs/:/certs/
    command:
      - --api

      - --entrypoints.dashboard.address=:65002

      - --entrypoints.web.address=:65000
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      
      - --entrypoints.websecure.address=:65001
      - --entrypoints.websecure.http.tls=true
      
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=traefik_network

      - --providers.file.directory=/dynconf
      - --providers.file.watch=true
    labels:
      traefik.enable: 'true'
      traefik.http.routers.to-dashboard.rule: Host(`dashboard.local`)
      traefik.http.routers.to-dashboard.entrypoints: dashboard
      traefik.http.routers.to-dashboard.middlewares: auth
      traefik.http.routers.to-dashboard.service: api@internal
      traefik.http.middlewares.auth.basicauth.users: admin:<PASSWORD>

  httpecho:
    image: hashicorp/http-echo
    container_name: httpecho
    command: "-text='hello world!'"
    labels:
      traefik.enable: 'true'
      traefik.http.routers.to-httpecho-secure.rule: Host(`subdomain.random.domain`)
      traefik.http.routers.to-httpecho-secure.entrypoints: web,websecure

  whoami:
    image: traefik/whoami
    container_name: whoami
    labels:
      traefik.enable: 'true'
      traefik.http.routers.to-whoami-secure.rule: Host(`some.random.domain`)
      traefik.http.routers.to-whoami-secure.entrypoints: web,websecure

networks:
  default:
    external:
      name: traefik_network

If you to keep your port mapping, your have to change the flag --entrypoints.web.http.redirections.entrypoint.to=websecure to --entrypoints.web.http.redirections.entrypoint.to=:65001

version: '3.7'

services:

  traefik:
    image: traefik:v2.3.1
    container_name: traefik
    ports:
      - 65000:80
      - 65001:443
      - 127.0.0.1:65002:8080
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/traefik/letsencrypt/acme.json:/acme.json
      - /home/traefik/dynconf/dyn.toml:/dynconf/dyn.toml
      - /home/traefik/certs/:/certs/
    command:
      - --api

      - --entrypoints.dashboard.address=:8080

      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=:65001
      - --entrypoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.web.http.redirections.entrypoint.permanent=true
      
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.http.tls=true
      
      - --providers.docker.exposedByDefault=false
      - --providers.docker.network=traefik_network

      - --providers.file.directory=/dynconf
      - --providers.file.watch=true
    labels:
      traefik.enable: 'true'
      traefik.http.routers.to-dashboard.rule: Host(`dashboard.local`)
      traefik.http.routers.to-dashboard.entrypoints: dashboard
      traefik.http.routers.to-dashboard.middlewares: auth
      traefik.http.routers.to-dashboard.service: api@internal
      traefik.http.middlewares.auth.basicauth.users: admin:<PASSWORD>

  httpecho:
    image: hashicorp/http-echo
    container_name: httpecho
    command: "-text='hello world!'"
    labels:
      traefik.enable: 'true'
      traefik.http.routers.to-httpecho-secure.rule: Host(`subdomain.random.domain`)
      traefik.http.routers.to-httpecho-secure.entrypoints: web,websecure

  whoami:
    image: traefik/whoami
    container_name: whoami
    labels:
      traefik.enable: 'true'
      traefik.http.routers.to-whoami-secure.rule: Host(`some.random.domain`)
      traefik.http.routers.to-whoami-secure.entrypoints: web,websecure

networks:
  default:
    external:
      name: traefik_network
3

Thank you so much for all this information!