Simple http-to-https redirect with default self-signed certificate

Traefik Traefik v2
1

Hi, I'm playing with Traefik V2, after looking through the documentation, community and general resources on Internet, I've come with the following exercise that unfortunately is not working.

My objective in this exercise is to configure Traefik as a simple reverse proxy doing http-to-https redirection for a back-end web service.
To learn the configurations I'm also trying to keep separate config files (and not putting everything inside the docker-compose.yml as I've seen in many tutorials online)

I've come up with the following

docker-compose.yml:

version: "3.3"

services:

  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "$PWD/traefik.yml:/etc/traefik/traefik.yml"
      - "$PWD/providers.yml:/etc/traefik/providers.yml"

  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"

traefik.yml:

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

providers:
  docker:
    exposedByDefault: false
  file:
    filename: "/etc/traefik/providers.yml"
    watch: true

entryPoints:
  websecure:
    address: ":443"

providers.yml:

http:

  routers:
    to-whoami:
      rule: "Host(`myipaddress`)"
      entryPoints: web
      middlewares: "https-redirect"
      service: whoami
    redirect-to-https:
      rule: "Host(`myipaddress`)"
      entryPoints: web
      middlewares: "https-redirect"
      service: whoami

  middlewares:
    https-redirect:
     redirectScheme:
       scheme: "https"
    
  services:
    whoami:
      loadBalancer:
        servers:
          - url: "http://whoami"

Where myipaddress is the IP of the server where Docker is running in my local LAN.

The thing is that when I visit http://myipaddress, I'm redirected to https://myipaddress but instead of the whoami service I'm presented with a "404 page not found" error, and I can't understand why.

From Traefik logs, the only thing I see is

level=debug msg="http: TLS handshake error from x.x.x.x:56651: remote error: tls: unknown certificate"
level=debug msg="Serving default certificate for request: \"\""

But I think this could be ignored because I've seen that Traefik generated a self-signed certificate which for this exercise it's fine.

Can you help me in identifying which mistake I've made? :grinning:

1 Like
2

It doesn't look like you've set up any resolvers or provided your own TLS certificate.

I would review the documentation on HTTPS && TLS and add them to your configuration:
https://doc.traefik.io/traefik/https/overview/

:slight_smile:

1 Like
3

To be sure I'm understanding: do I need to provide a certificate / ACME whatsoever or - as I thought - Traefik is able to generate a self-signed certificate for me on the fly?
In this second case, it seems that I'm missing some TLS confing for the router section
Once I manage to get a working config, I'd like to move on with a Let's Encrypt certificate
Documentation is a little bit tricky to read IMHO
Thank you

4

OK, I think I've done it!

This is the working providers.yml

http:

  routers:
    to-whoami:
      rule: "Host(`myipaddress`)"
      entryPoints: web
      middlewares: "https-redirect"
      service: whoami
    redirect-to-https:
      rule: "Host(`myipaddress`)"
      entryPoints: web
      middlewares: "https-redirect"
      service: whoami
    to-secure-whoami:
      rule: "Host(`myipaddress`)"
      entryPoints: websecure
      service: whoami
      tls: {}

  middlewares:
    https-redirect:
     redirectScheme:
       scheme: "https"
    
  services:
    whoami:
      loadBalancer:
        servers:
          - url: "http://whoami"

I have created a new router named to-secure-whoami which basically leverages the self-signed certificate generated by Traefik with default options.
And now pointing to http://myipaddress I'm redirected to https://myipaddress which is pointing in backend to http://whoami
I'm very happy :grinning:

1 Like
5

Hi @espogian

If you are always going to redirect to https then you can leverage the entrypoint redirection.

https://doc.traefik.io/traefik/routing/entrypoints/#redirection

1 Like
6

Thank you so much for improving my code!
I've come to the following working configuration which is way more simpler

traefik.yml

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

providers:
  docker:
    exposedByDefault: false
  file:
    filename: "/etc/traefik/providers.yml"
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers.yml

http:

  routers:
    to-secure-whoami:
      rule: "Host(`myipaddress`)"
      entryPoints: websecure
      service: whoami
      tls: {}
    
  services:
    whoami:
      loadBalancer:
        servers:
          - url: "http://whoami"
1 Like