RedirectScheme Middleware CRD Not Working

ystan · December 2, 2019, 3:43pm

I created a bug that got auto-closed by the bot: https://github.com/containous/traefik/issues/5924

In short, I'm running Traefik v2.1 in Kubernetes and followed the instructions to create a Middleware for redirectScheme, then 2 IngressRoutes - 1 is the actual TLS-enabled site and the other is a redirect. The TLS site works as expected, but the redirect actually goes ahead to display the site in HTTP rather than.. redirect to the TLS site.

daniel.tomcej · December 4, 2019, 5:56pm

Hello @ystan,

Running multiple replicas of Traefik in k8s with letsencrypt is not supported in Traefik CE.

Can you test with a single replica and see if it works as you expect?

Also, can you provide what curl -v http://my-site.com gives you?

ystan · December 5, 2019, 3:02pm

reducing to 1 replica does not change anything.
can you confirm if my ingressroute config is correct? i.e. i should have 2 - one is the real TLS endpoint connected with lets encrypt. while the other uses an identical host pattern but the normal http entrypoint while using the redirect middleware. is there some way to test this middleware?
curl output below. those lines in front look suspect but i don't know if they mean anything.

$ curl -v http://my-site.com
* Expire in 0 ms for 6 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
*   Trying xxx.xxx.xxx.xxx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x76b880)
* Connected to my-site.com (xxx.xxx.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: my-site.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Content-Language: en-US
< Content-Type: text/html;charset=UTF-8
< Date: Thu, 05 Dec 2019 14:59:14 GMT
< Expires: 0
< Pragma: no-cache
< Set-Cookie: JSESSIONID=brIELzRMJiWKwtXzzuno7VOR2_egSl7WoqyfCs38; path=/
< X-Application-Context: application:prod:8090
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-Xss-Protection: 1; mode=block
< Transfer-Encoding: chunked
<
<!DOCTYPE html>

<html>
        <!-- My site HTML -->
</html>
* Connection #0 to host my-site.com left intact

zespri · December 6, 2019, 1:11am

Can you enable debug log and compare configuration received from kubernetes CRD provider with one you'd expect to see? If they match, can you check that your request actually ends up at traefik and not going to the web sute bypassing it...

ystan · December 8, 2019, 5:01am

how do i do this? -> compare configuration received from kubernetes CRD provider with one you'd expect to see

debug logs as follows. the traffic is definitely going through traefik as the site is not exposed via any other method.

time="2019-12-08T12:53:48+08:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.9,en-GB;q=0.8\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Cookie\":[\"JSESSIONID=MtuiSFbBmPztRTqLOutLzyxGKaG_KRpfgSJ3RWGc; _ga=GA1.2.2006152456.1575780454; _gid=GA1.2.338463631.1575780454\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"],\"X-Forwarded-Host\":[\"my-site.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"traefik-56c96855fd-8twrg\"],\"X-Real-Ip\":[\"10.0.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"my-site.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.1:53109\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2019-12-08T12:53:48+08:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.9,en-GB;q=0.8\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Cookie\":[\"JSESSIONID=MtuiSFbBmPztRTqLOutLzyxGKaG_KRpfgSJ3RWGc; _ga=GA1.2.2006152456.1575780454; _gid=GA1.2.338463631.1575780454\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"],\"X-Forwarded-Host\":[\"my-site.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"traefik-56c96855fd-8twrg\"],\"X-Real-Ip\":[\"10.0.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"my-site.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.1:53109\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://10.0.0.5:8090"
time="2019-12-08T12:53:48+08:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.9,en-GB;q=0.8\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Cookie\":[\"JSESSIONID=MtuiSFbBmPztRTqLOutLzyxGKaG_KRpfgSJ3RWGc; _ga=GA1.2.2006152456.1575780454; _gid=GA1.2.338463631.1575780454\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"],\"X-Forwarded-Host\":[\"my-site.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"traefik-56c96855fd-8twrg\"],\"X-Real-Ip\":[\"10.0.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"my-site.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.1:53109\",\"RequestURI\":\"/\",\"TLS\":null}"
10.0.0.1 - - [08/Dec/2019:04:53:48 +0000] "GET / HTTP/1.1" 200 1400 "-" "-" 92 "default-my-site-redirect-a8965d81bed1fc6a8d8c@kubernetescrd" "http://10.0.0.5:8090" 10ms

ystan · December 8, 2019, 5:35am

Okay after all this trial-and-error, I found the root cause -> in the redirect ingressroute crd, i made middlewares a child of services when they should really be peers. my bad.

WRONG:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-site
spec:
  entryPoints:
  - web
  routes:
  - kind: Rule
    match: Host(`my-site.com`)
    services:
    - middlewares:
      - name: redirect
      name: my-site
      port: 8090

CORRECT:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-site
spec:
  entryPoints:
  - web
  routes:
  - kind: Rule
    match: Host(`my-site.com`)
    middlewares:
    - name: redirect
    services:
    - name: my-site
      port: 8090

Topic		Replies	Views
Redirect scheme does not seem to always work Traefik v2 (latest) kubernetes-crd	1	367	March 25, 2020
HTTP Routers with RedirectScheme failing with 400's Traefik v2 (latest) middleware	0	336	October 4, 2019
redirectScheme Middleware not redirecting Traefik v2 (latest) kubernetes-crd , kubernetes-ingress , letsencrypt-acme , middleware	9	2224	March 3, 2021
Setting up Middleware redirectRegex within kubernetes Traefik v2 (latest) kubernetes-crd , middleware	2	347	October 5, 2023
Traefik 2.0 & Kubernetes CRD [Force SSL / Http to Https redirect] How? Traefik v2 (latest) kubernetes-crd , kubernetes-ingress	8	5423	February 13, 2020

RedirectScheme Middleware CRD Not Working

Related Topics