RedirectScheme Middleware CRD Not Working

I created a bug that got auto-closed by the bot: https://github.com/containous/traefik/issues/5924

In short, I'm running Traefik v2.1 in Kubernetes and followed the instructions to create a Middleware for redirectScheme, then 2 IngressRoutes - 1 is the actual TLS-enabled site and the other is a redirect. The TLS site works as expected, but the redirect actually goes ahead to display the site in HTTP rather than.. redirect to the TLS site.

Hello @ystan,

Running multiple replicas of Traefik in k8s with letsencrypt is not supported in Traefik CE.

Can you test with a single replica and see if it works as you expect?

Also, can you provide what curl -v http://my-site.com gives you?

reducing to 1 replica does not change anything.
can you confirm if my ingressroute config is correct? i.e. i should have 2 - one is the real TLS endpoint connected with lets encrypt. while the other uses an identical host pattern but the normal http entrypoint while using the redirect middleware. is there some way to test this middleware?
curl output below. those lines in front look suspect but i don't know if they mean anything.

$ curl -v http://my-site.com
* Expire in 0 ms for 6 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 0 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 1 ms for 1 (transfer 0x76b880)
* Expire in 2 ms for 1 (transfer 0x76b880)
*   Trying xxx.xxx.xxx.xxx...
* TCP_NODELAY set
* Expire in 200 ms for 4 (transfer 0x76b880)
* Connected to my-site.com (xxx.xxx.xxx.xxx) port 80 (#0)
> GET / HTTP/1.1
> Host: my-site.com
> User-Agent: curl/7.64.0
> Accept: */*
>
< HTTP/1.1 200 OK
< Cache-Control: no-cache, no-store, max-age=0, must-revalidate
< Content-Language: en-US
< Content-Type: text/html;charset=UTF-8
< Date: Thu, 05 Dec 2019 14:59:14 GMT
< Expires: 0
< Pragma: no-cache
< Set-Cookie: JSESSIONID=brIELzRMJiWKwtXzzuno7VOR2_egSl7WoqyfCs38; path=/
< X-Application-Context: application:prod:8090
< X-Content-Type-Options: nosniff
< X-Frame-Options: DENY
< X-Xss-Protection: 1; mode=block
< Transfer-Encoding: chunked
<
<!DOCTYPE html>

<html>
        <!-- My site HTML -->
</html>
* Connection #0 to host my-site.com left intact

Can you enable debug log and compare configuration received from kubernetes CRD provider with one you'd expect to see? If they match, can you check that your request actually ends up at traefik and not going to the web sute bypassing it...

how do i do this? -> compare configuration received from kubernetes CRD provider with one you'd expect to see

debug logs as follows. the traffic is definitely going through traefik as the site is not exposed via any other method.

time="2019-12-08T12:53:48+08:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.9,en-GB;q=0.8\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Cookie\":[\"JSESSIONID=MtuiSFbBmPztRTqLOutLzyxGKaG_KRpfgSJ3RWGc; _ga=GA1.2.2006152456.1575780454; _gid=GA1.2.338463631.1575780454\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"],\"X-Forwarded-Host\":[\"my-site.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"traefik-56c96855fd-8twrg\"],\"X-Real-Ip\":[\"10.0.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"my-site.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.1:53109\",\"RequestURI\":\"/\",\"TLS\":null}"
time="2019-12-08T12:53:48+08:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.9,en-GB;q=0.8\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Cookie\":[\"JSESSIONID=MtuiSFbBmPztRTqLOutLzyxGKaG_KRpfgSJ3RWGc; _ga=GA1.2.2006152456.1575780454; _gid=GA1.2.338463631.1575780454\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"],\"X-Forwarded-Host\":[\"my-site.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"traefik-56c96855fd-8twrg\"],\"X-Real-Ip\":[\"10.0.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"my-site.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.1:53109\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="http://10.0.0.5:8090"
time="2019-12-08T12:53:48+08:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/1.1\",\"ProtoMajor\":1,\"ProtoMinor\":1,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3\"],\"Accept-Encoding\":[\"gzip, deflate\"],\"Accept-Language\":[\"en-US,en;q=0.9,en-GB;q=0.8\"],\"Cache-Control\":[\"max-age=0\"],\"Connection\":[\"keep-alive\"],\"Cookie\":[\"JSESSIONID=MtuiSFbBmPztRTqLOutLzyxGKaG_KRpfgSJ3RWGc; _ga=GA1.2.2006152456.1575780454; _gid=GA1.2.338463631.1575780454\"],\"Dnt\":[\"1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.108 Safari/537.36\"],\"X-Forwarded-Host\":[\"my-site.com\"],\"X-Forwarded-Port\":[\"80\"],\"X-Forwarded-Proto\":[\"http\"],\"X-Forwarded-Server\":[\"traefik-56c96855fd-8twrg\"],\"X-Real-Ip\":[\"10.0.0.1\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"my-site.com\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"10.0.0.1:53109\",\"RequestURI\":\"/\",\"TLS\":null}"
10.0.0.1 - - [08/Dec/2019:04:53:48 +0000] "GET / HTTP/1.1" 200 1400 "-" "-" 92 "default-my-site-redirect-a8965d81bed1fc6a8d8c@kubernetescrd" "http://10.0.0.5:8090" 10ms

Okay after all this trial-and-error, I found the root cause -> in the redirect ingressroute crd, i made middlewares a child of services when they should really be peers. my bad.

WRONG:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-site
spec:
  entryPoints:
  - web
  routes:
  - kind: Rule
    match: Host(`my-site.com`)
    services:
    - middlewares:
      - name: redirect
      name: my-site
      port: 8090

CORRECT:

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: my-site
spec:
  entryPoints:
  - web
  routes:
  - kind: Rule
    match: Host(`my-site.com`)
    middlewares:
    - name: redirect
    services:
    - name: my-site
      port: 8090