The best way to implement global redirect to another domain including any possible nested subdomains and paths

Traefik Traefik v3 (latest)
1

To be clear

Current solution
What I have currently is regex below. This looks rather complicated and I don't envy the guy who will have to adjust it while seeing it first time.

- traefik.http.middlewares.redirect.redirectregex.regex=^https?://((?:[a-zA-Z0-9-]+\.)*)*old-domain(.*)$$
- traefik.http.middlewares.redirect.redirectregex.replacement=https://$${1}new-domain$${2}

Another way to go is to create a separate redirect middleware for every nested subdomain. I am not sure if it is a nice solution in case one has, say, 50 combinations of subdomains

Any better / clearer / easier ways to solve this problem?

2

I would make a clear distinction between different wildcards, like

*.old-domain.com
*.sub-system.old-domain.com
*.other-domain.com

You will need all the wildcard domains listed anyway to create matching wildcard TLS certificates for this to actually work (with dnsChallenge). Without the TLS certs, the browser will usually just stop with a big warning and not redirect.

You want the path to stay the same after redirect?

3

Yes. The path is easy to handle actually. The problem is nested subdomains. The regex there looks indeed scary.

You will need all the wildcard domains listed

Remark for others:

  • Here you refer to the fact that for HTTPS redirects I need to create TLS Certificate for every possible subdomain (wildcard * makes it a bit better but still). These TLS Certificates shall be created for both old and new domain

You are correct and this is actually already automated in our case. The wildcard certificates are created.

Since we only interested in subdomains with valid TLS Certificate (otherwise browser will simply complain about TLS Certificate issue), is it really the only way to go, to create a separate redirect middleware for every subdomain? @bluepuma77

4

As I think further on the matter, we also have automated Traefik Router Rules, so only expected subdomains will be accepted by Traefik which means TLS Certificates will be present and handled.

Since only expected subdomains reach redirect middleware (so TLS is handled), I just want to blindly redirect these requests to a different domain while keeping subdomains (and paths) (i.e. whatever.old-domain.com/v1 --> whatever.new-domain.com/v1).

I wish there is / was a simple way to achieve that without crazy regex. So, [the very] original question still makes sense.

How to redirect any nested subdomains and paths to a new domain while keeping subdomains and paths without creating a separate middleware for every possible combination and without complicated [error-prone] [probably-hard-to-maintain] regex

5

So you want to replace the old-domain.com TLD with a new one, keep sub-domains and path.

If you already have the TLS certs, then the logic seems simple: (*.)old-domain.com(*.). The capture groups will get optional sub-domain(s) and optional path, then you can simply replace the main TLD.

I would split it into two routers, the regular one and a catchall as fallback:

  whoami:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.whoami.rule=Host(`domain.com`) || HostRegexp(`.+\.domain\.com`)
      - traefik.http.services.whoami.loadbalancer.server.port=80

  catchall:
    image: traefik/whoami:v1.10
    networks:
      - proxy
    labels:
      - traefik.enable=true
      - traefik.http.routers.catchall.rule=HostRegexp(`.+`)
      - traefik.http.routers.catchall.middlewares=redir
      - traefik.http.middlewares.redir.redirectregex.regex=^(.*)old-domain\.com(.*)
      - traefik.http.middlewares.redir.redirectregex.replacement=$${1}domain.com$${2}
      - traefik.http.services.catchall.loadbalancer.server.port=80

Target service whoami uses new domain and a RegEx for all sub-somains. Note that . in RegEx is a placeholder for any character, so the dot in domain needs to be escaped \.. The redirect service has a shorter rule, lower priority, therefore will be matched after the first.

6

Thanks for your help :sunny:

This solution has a bug. It incorrectly redirects, for example, the following URL: https://new-domain.com/file/certs/old-domain.com ---> https://new-domain.com/file/certs/new-domain.com. To put it in other words, in case URL contains this domain in path while TLD is something else, the redirect is triggered.

Short summary

The solution tends towards just coming up with another Regex, which I am not sure was the original target. I don't think there is a simple regex with "no bugs" to cover this use case (maybe somebody can change my mind and find a nice flawless regex)

I would rather anticipate to have some built-in traefik feature for redirects which does not exist now (afaiu). But I can see a benefit in covering this use case with a built-in feature (instead of messing with regex).

Update
The bug in regex described above will not happen because Traefik Rule includes HostRegex. This does not cancel out the problem of having old-domain.com in path. So https://old-domain.com/files/certs/old-domain.com will be redirected to https://old-domain.com/files/certs/new-domain.com

7

Excellent. Traefik is open source, so you can implement it and even bring it back into mainline with a pull request.

Alternatively you can look into Traefik plugins (doc), maybe something exists or create your own.

1 Like
8

For those interested

Here is a slightly simpler regex that seems to work for all cases:

Excerpt from docker-compose.yml:

- traefik.http.middlewares.redirect.redirectregex.regex: ^https://([^/]*)old-domain\.com(.*)$$
- traefik.http.middlewares.redirect.redirectregex.replacement: https://$${1}new-domain.com$${2}
9

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.