I configured traefik with two entrypoints, http (:80) and https (:443). The http entrypoint should only redirect to the https endpoint.
This is my config:
# apply default-security headers middleware to each router
Can I somehow define the websecure endpoint as the default one, so Ingresses and IngressRoutes, which don't explicitely define their entrypoints, will only generate routers for the websecure endpoint?
It's just a smallish imperfection, but it's bothering me, that I now have a lot of unused and unreachable routers for the web entrypoint. I know I could just specify the websecure entrypoint on all of the Ingresses and IngressRoutes, but I wanted to ask if there is an easier solution before doing this.
Thanks in advance!
I couldn't figure out how to do that... My understanding is that for each router you have to explicitly declare an entrypoint, its service, and its rule (i.e. domain). I ended up having to do that for both http and https. Then if you are using HTTPS you have to provide SSL configuration, either by doing all the letsencrypt stuff, or putting the ssl cert info in a config file. Then separately I create a middleware to redirect from the http router to the https router.
Keen to know if anyone thinks this can be done more easily!
# Routing for HTTP
# Routing for HTTPS
# Http-to-Https redirect Middleware
@stuzor something like that:
# global redirect to https
traefik.http.middlewares.auth.basicauth.users: user:$$apr1$$q8eZFHjF$$Fvmkk//V6Btlaf2i/ju5n/ # user/password
you definitely don't have to define those for each and every router.
My snippet from above is part of my static configuration. On my ingresses (I use traefik on Kubernetes), I just annotate:
- host: my-app.my-domain.com
- path: /
This will now create two routers for me connected to the backend service
my-service (the service mentioned in the yaml file is a Kubernetes service, not the Traefik one). Both routers are using the
I could restrict this to only one router by setting the annotation
traefik.ingress.kubernetes.io/router.entrypoints: websecure. But as I have hundreds of ingresses, I'd really like to do something, that just defines
websecure as being the default entrypoint, that is used in case none are specified.
And as @Idez pointed out: In a docker environment you only need to define the two annotations
traefik.enable: 'true' and
) and you'll end up with two routers connected to the
default-headers middleware and the appropriate services.
As this comment on Github says, this is a feature, that is will not be implemented again (it was in v1):
With v2, TLS being defined at router level + ability to route at TCP level, the default entrypoint does not make sense as it could break the TCP router, or accidentally mux HTTP/TCP.
There is now the general rule: The default entrypoints in v2 are all "tcp" entrypoints for http/tcp router, there is no default entrypoint for udp.
So I mark this topic as answered.