Redirection with LAN server and dynamic.yml

Hi,
I tried to deploy Traefik and forward trafic to an external server, but there are a mismatch. The target server is an ESXi with http => https redirection.

version: '3.5'

services:

  reverse-proxy:
    container_name: reverseproxy
    image: traefik:v2.9.4 
    restart: always
    ports:
      - "80:80"
      - "443:443"

    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./traefik.yml:/etc/traefik/traefik.yml
      - ./acme.json:/etc/traefik/acme.json
      - ./rules/:/etc/traefik/rules

log:
  level: DEBUG

tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: false
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      curvePreferences:
        - CurveP521
        - CurveP384

http:
  middlewares:
    compression:
      compress:
        excludedContentTypes:
          - text/event-stream

    security:
      headers:
        accessControlAllowMethods:
          - GET
          - OPTIONS
          - PUT
        accessControlMaxAge: 100
        addVaryHeader: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        frameDeny: true
#        sslRedirect: true
        sslForceHost: true
        stsPreload: true
        customFrameOptionsValue: SAMEORIGIN
        referrerPolicy: "same-origin"
#        featurePolicy: "camera 'none'; microphone 'none'; payment 'none'; usb 'none';"
        stsSeconds: 315360000
        hostsProxyHeaders:
          - "X-Forwarded-Host"

  serversTransports:
    mytransport:
      disableHTTP2: false
      insecureSkipVerify: true

  routers:
    esx:
      rule: "Host(`esx.xxx`)"
      entryPoints:
        - websecure
      service: esx
      middlewares:
        - chain-authelia
      tls:
        certresolver: "letsencrypt"
#        domains:
#          - main: "esx.xxx"
#            sans: "www.xxx"

  services:
    esx:
      loadBalancer:
        servers:
          - url: "http://192.168.2.200"

When I test the url, it's not working and show the message "The page is not redirected correctly"
An other test

wget http://192.168.2.200
--2023-02-28 21:02:38--  http://192.168.2.200/
Connecting to 192.168.2.200:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: https://192.168.2.200/ [following]
--2023-02-28 21:02:38--  https://192.168.2.200/
Connecting to 192.168.2.200:443... connected.
ERROR: The certificate of ‘192.168.2.200’ is not trusted.
ERROR: The certificate of ‘192.168.2.200’ doesn't have a known issuer.
The certificate's owner does not match hostname ‘192.168.2.200’

Any advices to fix the issue ?

It seems you are mixing static and dynamic configuration.

Place entrypoints, certresolvers, etc. in static traefik.yml, use provider.file in it to load traefik-dynamic.yml dynamic configuration which includes routers, services, tls, etc.

Sorry, I didn't explain that I've already others servers with the same conf and it's working.
I think the issue is cause by the http/https redirection on the esxi (I can't disabled it), and maybe linked with my security option on dynamic file ?

Ok, the wget with IP does not work, because it will redirect to https with IP and you can’t have a validated TLS cert with IP.

You need to use domain name instead. Or tell wget to trust any TLS cert.

Yes but it's just for the test and the http/s connectivity.

I tried with other device (fortinet), and when I disabled the https redirection, it's solve the issue.
On the ESX node, I can't do that.

Tks

And the logs during the session:

With https redirection on traefik :

time="2023-03-10T17:50:51Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" ForwardURL="http://192.168.2.200" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\"],\"Cookie\":[\"authelia_session=FWtCmzTrvBDcMQnzNbYaRXmBwcwmqYXf\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"Thibaut\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\"],\"X-Forwarded-Host\":[\"esx.xxx\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"c5acd01e29cc\"],\"X-Real-Ip\":[\"57.79.254.161\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"esx.xxx\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"57.79.254.161:59638\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2023-03-10T17:50:51Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\"],\"Cookie\":[\"authelia_session=FWtCmzTrvBDcMQnzNbYaRXmBwcwmqYXf\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"Thibaut\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\"],\"X-Forwarded-Host\":[\"esx.xxx\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"c5acd01e29cc\"],\"X-Real-Ip\":[\"57.79.254.161\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"esx.xxx\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"57.79.254.161:59638\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2023-03-10T17:50:52Z" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\"],\"Cookie\":[\"authelia_session=FWtCmzTrvBDcMQnzNbYaRXmBwcwmqYXf\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"Thibaut\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\"],\"X-Forwarded-Host\":[\"esx.xxx\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"c5acd01e29cc\"],\"X-Real-Ip\":[\"57.79.254.161\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"esx.xxx\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"57.79.254.161:59638\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2023-03-10T17:50:52Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\"],\"Cookie\":[\"authelia_session=FWtCmzTrvBDcMQnzNbYaRXmBwcwmqYXf\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"Thibaut\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\"],\"X-Forwarded-Host\":[\"esx.xxx\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"c5acd01e29cc\"],\"X-Real-Ip\":[\"57.79.254.161\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"esx.xxx\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"57.79.254.161:59638\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL=
time="2023-03-10T17:50:52Z" level=debug msg="'500 Internal Server Error' caused by: unsupported protocol scheme \"\""

Without redirection :

time="2023-03-10T18:00:01Z" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\"],\"Cookie\":[\"authelia_session=FWtCmzTrvBDcMQnzNbYaRXmBwcwmqYXf\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"Thibaut\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\"],\"X-Forwarded-Host\":[\"esx.lab-aege.fr\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"c5acd01e29cc\"],\"X-Real-Ip\":[\"57.79.254.161\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"esx.lab-aege.fr\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"57.79.254.161:59662\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="https://192.168.2.200:443"
time="2023-03-10T18:00:01Z" level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for 192.168.2.200 because it doesn't contain any IP SANs"
time="2023-03-10T18:00:01Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"OmitHost\":false,\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"fr,fr-FR;q=0.8,en-US;q=0.5,en;q=0.3\"],\"Cookie\":[\"authelia_session=FWtCmzTrvBDcMQnzNbYaRXmBwcwmqYXf\"],\"Dnt\":[\"1\"],\"Remote-Groups\":[\"admins,dev\"],\"Remote-User\":[\"Thibaut\"],\"Sec-Fetch-Dest\":[\"document\"],\"Sec-Fetch-Mode\":[\"navigate\"],\"Sec-Fetch-Site\":[\"none\"],\"Sec-Fetch-User\":[\"?1\"],\"Te\":[\"trailers\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0\"],\"X-Forwarded-Host\":[\"esx.xxx\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"c5acd01e29cc\"],\"X-Real-Ip\":[\"57.79.254.161\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"esx.lab-aege.fr\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"57.79.254.161:59662\",\"RequestURI\":\"/\",\"TLS\":null}"

Tks