Router priority issues with redirection to https

Continuing the discussion from How to disable http redirect to https for a single container domain?

Hello everybody!
I got 13 services, and all are https except two.
My initial setup did a https redirection on each needed container, but redirected everything, though not globally redirected.
Then found related link, where priority is used and tryed, but even whoami example copyed/pasted from linked page takes https redirection :_(

My "docker-compose.yml" is:

  traefik:
    image: traefik
    container_name: traefik
    depends_on:
      - dnsmasq
    networks:
      - traefik_network
    ports:
      - 8080:8080
      - 443:443
    command:
      - "--log.level=DEBUG"
      - '--api'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.web.address=:80'
      - '--entrypoints.websecure.address=:443'
      - '--entrypoints.websecure.http.tls=true'
      - '--certificatesresolvers.mydnschallenge.acme.dnschallenge'
      - '--certificatesresolvers.mydnschallenge.acme.dnschallenge.provider=duckdns'
      - '--certificatesresolvers.mydnschallenge.acme.email=admin@none.com'
      - '--certificatesresolvers.mydnschallenge.acme.storage=/letsencrypt/acme.json'
    environment:
      - TZ=${TZ}
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - './letsencrypt:/letsencrypt'
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.rule=Host(`traefik.piset.local`)'
      - 'traefik.http.routers.traefik.entrypoints=websecure'
      - 'traefik.http.routers.traefik.service=api@internal'

      - 'traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)'
      - 'traefik.http.routers.http-catchall.entrypoints=web'
      - 'traefik.http.routers.http-catchall.middlewares=redirect-to-https'
      - 'traefik.http.routers.http-catchall.priority=1000'
      - 'traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https'

  whoami:
    image: containous/whoami
    ports:
      - 7777:80
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.aaa.rule=Host(`toto.localhost`)'
      - 'traefik.http.routers.aaa.entrypoints=web'
      - 'traefik.http.routers.aaa.priority=2000'

Any help would be appreciated.
Thanks in advance! :slight_smile:

Aside from the missing network in the whoami service and incorrect port publishing(should be 8080:80) this works fine. What are you experiencing vs what are you expecting ?

toto.localhost served on http

http://toto.localhost:8080
$ curl -ki http://toto.localhost:8080 
HTTP/1.1 200 OK
Content-Length: 361
Content-Type: text/plain; charset=utf-8
Date: Tue, 23 Mar 2021 11:40:35 GMT

Hostname: 68455dfaeda2
IP: 127.0.0.1
IP: 172.20.0.2
RemoteAddr: 172.20.0.3:40422
GET / HTTP/1.1
Host: toto.localhost:8080
User-Agent: curl/7.68.0
Accept: */*
Accept-Encoding: gzip
X-Forwarded-For: 172.20.0.1
X-Forwarded-Host: toto.localhost:8080
X-Forwarded-Port: 8080
X-Forwarded-Proto: http
X-Forwarded-Server: 8ce32f207d3a
X-Real-Ip: 172.20.0.1

Some other hostname is redirected to https

http://another.localhost:8080
$ curl -ki http://another.localhost:8080 
HTTP/1.1 302 Found
Location: https://another.localhost/
Date: Tue, 23 Mar 2021 11:43:07 GMT
Content-Length: 5
Content-Type: text/plain; charset=utf-8

traefik dashboard is served on https and redirected to /dashboard/

https://traefik.piset.local
$ curl -ki https://traefik.piset.local --resolve traefik.piset.local:443:127.0.0.1
HTTP/2 302 
content-type: text/html; charset=utf-8
location: /dashboard/
content-length: 34
date: Tue, 23 Mar 2021 11:44:47 GMT

<a href="/dashboard/">Found</a>.

Thank you very much for your message cakiwi.
Apologies for not being clear enought with my issue.
About the environment:

  • All services run on same host, with IP 192.168.1.2.
  • There is a DNS service that points all request to 192.168.1.2.

traefik service ports corrected to:

    ports:
      - 80:80
      - 443:443

to keep things simple, used same domain for whoami and traefik service:

    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.aaa.rule=Host(`toto.piset.local`)'

Port 8080 is used by another service, so picked 7777 for whoami.

Sorry about changing premises, but results remains:

  1. http://traefik.piset.local as instructed by router http-catchall is redirected to https://traefik.piset.local:
curl -ki https://traefik.piset.local
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: /dashboard/
Date: Tue, 23 Mar 2021 18:08:09 GMT
Content-Length: 34
  1. https://traefik.piset.local is correctly served:
curl -ki https://traefik.piset.local
HTTP/1.1 302 Found
Content-Type: text/html; charset=utf-8
Location: /dashboard/
Date: Tue, 23 Mar 2021 18:08:09 GMT
Content-Length: 34

<a href="/dashboard/">Found</a>.
  1. http://192.168.1.2:7777 correctly shows whoami page:
curl -ki http://192.168.1.2:7777
HTTP/1.1 200 OK
Date: Tue, 23 Mar 2021 18:08:33 GMT
Content-Length: 166
Content-Type: text/plain; charset=utf-8

Hostname: 0284bbb19704
IP: 127.0.0.1
IP: 172.19.0.4
RemoteAddr: 192.168.1.112:64838
GET / HTTP/1.1
Host: 192.168.0.200:7777
User-Agent: curl/7.55.1
Accept: */*
  1. http://toto.piset.local:7777 is correctly served:
curl -ki http://toto.piset.local:7777
HTTP/1.1 200 OK
Date: Tue, 23 Mar 2021 18:40:39 GMT
Content-Length: 169
Content-Type: text/plain; charset=utf-8

Hostname: ecbbaf9c3dfc
IP: 127.0.0.1
IP: 172.19.0.4
RemoteAddr: 192.168.0.112:63076
GET / HTTP/1.1
Host: toto.piset.local:7777
User-Agent: curl/7.55.1
Accept: */*
  1. http://toto.localhost is expected to use traefik.http.routers.aaa as its priority is higher than traefik.http.routers.http-catchall, but is redirected to https:
curl -ki http://toto.piset.local
HTTP/1.1 302 Found
Location: https://toto.piset.local/
Date: Tue, 23 Mar 2021 18:24:09 GMT
Content-Length: 5
Content-Type: text/plain; charset=utf-8

Found
  1. https://toto.piset.local is 404:
curl -ki https://toto.piset.local
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Tue, 23 Mar 2021 18:25:15 GMT
Content-Length: 19

404 page not found
  1. Anyother host on domain piset.local is redirected to https:
curl -ki http://foo.piset.local
HTTP/1.1 302 Found
Location: https://foo.piset.local/
Date: Tue, 23 Mar 2021 18:26:31 GMT
Content-Length: 5
Content-Type: text/plain; charset=utf-8

Found

All my https services works fine, but http does not.

As said -and pehaps I'm wrong- I was expecting to avoid the global https redirection on certain services through its routers priority.

Thank you for your time

P.S. I'm as newbie on forums as I don't know how you did to fold/unfold code

Double check your rules. Your example compose has a mix of .local and .localhost.

Hi again,
Sorry about missunderstanding, as stated above I changed initial premises (configuration): to use only one domain, corrected ports, and now added networks to whoami (though I could be mistaken, but as are inside same stack, would be visible), also turned off service which used 8080 port, and assigned it to whoami (port 7777 configuration also results on 502 Bad Gateway):

  traefik:
    image: traefik
    container_name: traefik
    depends_on:
      - dnsmasq
    networks:
      - traefik_network
    ports:
      - 80:80
      - 443:443
    command:
      - "--log.level=DEBUG"
      - '--api'
      - '--providers.docker.exposedByDefault=false'
      - '--entrypoints.web.address=:80'
      - '--entrypoints.websecure.address=:443'
      - '--entrypoints.websecure.http.tls=true'
      - '--certificatesresolvers.mydnschallenge.acme.dnschallenge'
      - '--certificatesresolvers.mydnschallenge.acme.dnschallenge.provider=duckdns'
      - '--certificatesresolvers.mydnschallenge.acme.email=admin@none.com'
      - '--certificatesresolvers.mydnschallenge.acme.storage=/letsencrypt/acme.json'
    environment:
      - TZ=${TZ}
      - DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
    volumes:
      - './letsencrypt:/letsencrypt'
      - /var/run/docker.sock:/var/run/docker.sock
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.rule=Host(`traefik.piset.local`)'
      - 'traefik.http.routers.traefik.entrypoints=websecure'
      - 'traefik.http.routers.traefik.service=api@internal'

      - 'traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)'
      - 'traefik.http.routers.http-catchall.entrypoints=web'
      - 'traefik.http.routers.http-catchall.middlewares=redirect-to-https'
      - 'traefik.http.routers.http-catchall.priority=1000'
      - 'traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https'

  whoami:
    image: containous/whoami
    ports:
      - 8080:80
    networks:
      - traefik_network
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.aaa.rule=Host(`toto.local.piset`)'
      - 'traefik.http.routers.aaa.entrypoints=web'
      - 'traefik.http.services.aaa.loadbalancer.server.port=8080'
      - 'traefik.http.routers.aaa.priority=2000'

With almost same results (5 changed from 302 to 502):

  1. http://traefik.piset.local redirects to https://traefik.piset.local, through 302.
  2. https://traefik.piset.local correctly served, with 302.
  3. http://192.168.1.2:7777 works with 200 OK.
  4. http://toto.local.piset:7777 works with 200 OK.
  5. http://toto.local.piset 502 Bad Gateway.
  6. https://toto.local.piset 404 Page not found.
  7. http://foo.local.piset redirected to https://foo.local.piset through 302.

So the initial "issue" seems "solved" as http://toto.local.piset is not redirected anymore... but... why it doesn't works?

Publising the ports is not needed using traefik on the same network this is only needed if you are accessing directly, bypassing traefik.
whoami uses 80 by default so remove traefik.http.services.aaa.loadbalancer.server.port or change it to 80

Ok... seems that the problem is certificate folder configuration (used to load wildcard certificates).
When it is not used, works like a charm. No redirection to https on whoami service.

Once configurated, the whoami service with toto.piset.local is redirected to https.
Perhaps it find a suitable certificate for the host, and it redirect the connection to https.
Don't know... got two self-signed wildcard certs: piset.local and piset.tv. First works, second one is redirected to https.

Mmm.... not completelly true.
Played a bit: changed one http service with piset.tv host, to piset.local, and it worked (service not redirected). Get it back to piset.tv host, and still worked. Then not able to recreate the problem. I promise that the only thing I changed is host rule, and then did docker-compose up service to recreate it.

Nevermind... if it works, don't touch it... (I spent four days Googleing and trying things before writing in this forum), I don't want to lose it now that it works...

Thank you very much for your time.

Oh... My... God...
Found the problem.
As silly as docker-compose.yml version.
Got several docker-compose files, the one driving me crazy was version 3.
Once changed to 3.7, works like a charm.

My fault, sorry guys :frowning:

1 Like

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.