Simple http-to-https redirect with default self-signed certificate

espogian · April 6, 2021, 7:06pm

Hi, I'm playing with Traefik V2, after looking through the documentation, community and general resources on Internet, I've come with the following exercise that unfortunately is not working.

My objective in this exercise is to configure Traefik as a simple reverse proxy doing http-to-https redirection for a back-end web service.
To learn the configurations I'm also trying to keep separate config files (and not putting everything inside the docker-compose.yml as I've seen in many tutorials online)

I've come up with the following

docker-compose.yml:

version: "3.3"

services:

  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - "$PWD/traefik.yml:/etc/traefik/traefik.yml"
      - "$PWD/providers.yml:/etc/traefik/providers.yml"

  whoami:
    image: "traefik/whoami"
    container_name: "whoami"
    labels:
      - "traefik.enable=true"

traefik.yml:

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

providers:
  docker:
    exposedByDefault: false
  file:
    filename: "/etc/traefik/providers.yml"
    watch: true

entryPoints:
  websecure:
    address: ":443"

providers.yml:

http:

  routers:
    to-whoami:
      rule: "Host(`myipaddress`)"
      entryPoints: web
      middlewares: "https-redirect"
      service: whoami
    redirect-to-https:
      rule: "Host(`myipaddress`)"
      entryPoints: web
      middlewares: "https-redirect"
      service: whoami

  middlewares:
    https-redirect:
     redirectScheme:
       scheme: "https"
    
  services:
    whoami:
      loadBalancer:
        servers:
          - url: "http://whoami"

Where myipaddress is the IP of the server where Docker is running in my local LAN.

The thing is that when I visit http://myipaddress, I'm redirected to https://myipaddress but instead of the whoami service I'm presented with a "404 page not found" error, and I can't understand why.

From Traefik logs, the only thing I see is

level=debug msg="http: TLS handshake error from x.x.x.x:56651: remote error: tls: unknown certificate"
level=debug msg="Serving default certificate for request: \"\""

But I think this could be ignored because I've seen that Traefik generated a self-signed certificate which for this exercise it's fine.

Can you help me in identifying which mistake I've made?

tomlawesome · April 6, 2021, 8:49pm

It doesn't look like you've set up any resolvers or provided your own TLS certificate.

I would review the documentation on HTTPS && TLS and add them to your configuration:
https://doc.traefik.io/traefik/https/overview/

espogian · April 7, 2021, 8:21am

To be sure I'm understanding: do I need to provide a certificate / ACME whatsoever or - as I thought - Traefik is able to generate a self-signed certificate for me on the fly?
In this second case, it seems that I'm missing some TLS confing for the router section
Once I manage to get a working config, I'd like to move on with a Let's Encrypt certificate
Documentation is a little bit tricky to read IMHO
Thank you

espogian · April 7, 2021, 8:51am

OK, I think I've done it!

This is the working providers.yml

http:

  routers:
    to-whoami:
      rule: "Host(`myipaddress`)"
      entryPoints: web
      middlewares: "https-redirect"
      service: whoami
    redirect-to-https:
      rule: "Host(`myipaddress`)"
      entryPoints: web
      middlewares: "https-redirect"
      service: whoami
    to-secure-whoami:
      rule: "Host(`myipaddress`)"
      entryPoints: websecure
      service: whoami
      tls: {}

  middlewares:
    https-redirect:
     redirectScheme:
       scheme: "https"
    
  services:
    whoami:
      loadBalancer:
        servers:
          - url: "http://whoami"

I have created a new router named to-secure-whoami which basically leverages the self-signed certificate generated by Traefik with default options.
And now pointing to http://myipaddress I'm redirected to https://myipaddress which is pointing in backend to http://whoami
I'm very happy

cakiwi · April 7, 2021, 11:59am

Hi @espogian

If you are always going to redirect to https then you can leverage the entrypoint redirection.

https://doc.traefik.io/traefik/routing/entrypoints/#redirection

espogian · April 7, 2021, 3:38pm

Thank you so much for improving my code!
I've come to the following working configuration which is way more simpler

traefik.yml

log:
  level: DEBUG

api:
  dashboard: true
  insecure: true

providers:
  docker:
    exposedByDefault: false
  file:
    filename: "/etc/traefik/providers.yml"
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: ":443"

providers.yml

http:

  routers:
    to-secure-whoami:
      rule: "Host(`myipaddress`)"
      entryPoints: websecure
      service: whoami
      tls: {}
    
  services:
    whoami:
      loadBalancer:
        servers:
          - url: "http://whoami"

Topic		Replies	Views
HTTPS Redirection Default Traefik v2 (latest) docker , middleware	2	424	May 21, 2020
Http to https redirect with v2. ends in 404 for http Traefik v2 (latest) docker	10	5343	June 1, 2020
Redirect http to https Traefik v2 (latest) docker	1	408	December 31, 2023
Redirect HTTPS (443) to HTTP (80)? Traefik v2 Traefik v2 (latest) docker	3	3628	October 8, 2020
HTTP to HTTPS redirect fails with exposedbydefault=false Traefik v2 (latest) docker , middleware	4	854	February 13, 2020

Simple http-to-https redirect with default self-signed certificate

Related Topics