Replacepathregex always http:// scheme

wwe · June 23, 2024, 2:01pm

hi all I'm having hard time with replacepathregex middleware in traefik 3.0.3.

I created a middleware (Nextcloud well-known redirect)

http:
  middlewares:
    nextcloud-redirect:
      replacepathregex:
        regex: "/well-known/(card|cal)dav(/?.*)$"
        replacement: "/remote.php/dav/"

and bound this middleware to multiple application instances running on my system. The middleware loads and shown in traefik web-UI. so far it works but I see redirect is always generated using http:// scheme even I access the initial URL though https://. My expectation this redirect would only replace the relevant part and preserve the scheme and hostname?

In my installation I do permenent http->https rewrite on the entrypoint level so the request works in general. But I'm wondering this is expected situation?

I even tried to hardcode the redirect to https:// but without success

http:
  middlewares:
    nextcloud-redirect:
      replacepathregex:
        regex: "https://(.*)/well-known/(card|cal)dav(/?.*)$"
        replacement: "https://$1/remote.php/dav/"

still the "location:" is always http:// URL
(I removed not related curl output for better readability)

# curl test
curl https://test-nc.mydomain.tld/.well-known/carddav/ -ILv
*   Trying 192.168.11.4:443...
* Connected to test-nc.mydomain.tld (192.168.11.4) port 443 (#0)
# initial request
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
< HTTP/2 301
HTTP/2 301
< location: http://test-nc.mydomain.tld/remote.php/dav/
location: http://test-nc.mydomain.tld/remote.php/dav/
# redirect to http:// using port 80
<
* Connection #0 to host test-nc.mydomain.tld left intact
* Clear auth, redirects to port from 443 to 80
* Issue another request to this URL: 'http://test-nc.mydomain.tld/remote.php/dav/'
* Switched from HTTP to HTTPS due to HSTS => https://test-nc.mydomain.tld/remote.php/dav/

in other words both tests below generate plain http:// location: http://test-nc.mydomain.tld/remote.php/dav/ What is wrong and how can a generate valid https:// redirects?

bluepuma77 · June 23, 2024, 3:31pm

ReplacePathRegex middlewares should only replace the path (doc) in the proxied/forwarded request, it should not touch protocol scheme or domain.

The protocol for the proxied/forwarded request is set by the Traefik service, it usually defaults to http.

wwe · June 23, 2024, 4:22pm

I don't find anything related to the scheme in the service docs - only the scheme setting of the healthcheck - could you please point me to the right setting? I'm wondering how to setup this right.. I'm running the service as plain http and do TLS offloading using traefik. My service traefik labels are defined like this:

    labels:
      - traefik.enable=true
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.entryPoints=web-secure
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.priority=1             # for notify_push
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.rule=Host(`${DOMAIN}`) # Nextcloud public FQDN
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls=true
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.tls.certresolver=letsencryptresolver
      - traefik.http.routers.${COMPOSE_PROJECT_NAME}.middlewares=secHeaders3@file,nextcloud-redirect@file
      - traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.port=80

I was under impression the service is kind of unrelated for "external" things like URL..

bluepuma77 · June 23, 2024, 4:59pm

Traefik dynamic config with Docker labels (reference):

  - "traefik.http.services.service02.loadbalancer.server.scheme=foobar"

wwe · June 23, 2024, 8:33pm

I tested and this is definitely not the right setting.

adding
- traefik.http.services.${COMPOSE_PROJECT_NAME}.loadbalancer.server.scheme=https
results in

which in turn makes the whole service unavailable (expectable - as the service has runs plain http://)

bluepuma77 · June 24, 2024, 4:45am

Can you explain again what you want to achieve? You use ReplacePathRegex (which changes the path inside the proxies/forwarded request), but also mention redirect.

wwe · June 24, 2024, 6:21am

when I access https://test-nc.mydomain.tld/.well-known/carddav/ I see 301 with location: http://test-nc.mydomain.tld but you might be right the redirect doesn't come from traefik.. at least it doesn't kick in for a simple whoami container (which I don't understand as well).. maybe the service behind created the redirect.

I'll do some more tests and come back with results..

bluepuma77 · June 24, 2024, 7:36am

Enable Traefik access log in JSON format (doc), it will tell you OriginStatus (target service response) and DownstreamStatus (Traefik response).

wwe · June 24, 2024, 9:48am

It was in fact the backend service fooled me after some testing I switched to

      redirectregex:
        regex: "/\\.well-known/(?:cal|card)dav(?:/)?$"
        replacement: "/remote.php/dav/"

which does exactly what I want - I get valid 301 redirect to https location

Thank you for your help @bluepuma77!

system · July 12, 2024, 9:39am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
RedirectRegex middleware is not doing what I expect Traefik v2 middleware	2	849	September 22, 2022
ReplacePathRegex docker provider not working Traefik v2 docker , middleware	6	4223	January 16, 2020
Redirect domain via regex does not work Traefik v2 docker , middleware	2	1529	March 9, 2021
Setting up Middleware redirectRegex within kubernetes Traefik v2 kubernetes-crd , middleware	2	768	October 5, 2023
Regex middleware does nothing Traefik v2 docker , middleware	2	878	April 17, 2021

Replacepathregex always http:// scheme

Related topics