Tomcat response not rewritten to https [solved]

i'm using Traefik 2.0.7. I have troubles finding the right configuration.

What i want is to redirect traffic to a tomcat app:
http://ww__om --> https://ww__om/app

What happens is:
http://ww__om --> https://ww__om/ --> http://ww__om/app (no https)

traefik.yaml:

entryPoints:
  web:
    address: ':80'
  web-secure:
    address: ':443'

http:
  middlewares:
    https-redirect:
      redirectScheme:
        scheme: https

providers:
  file:
    directory: '/etc/traefik/conf.d'
    watch: true

#log:
#  level: DEBUG

api:
  insecure: true
  dashboard: true
#  debug: true

certificatesResolvers:
  le-staging:
    acme:

app.yaml:

http:

  routers:
    app-router:
      entryPoints:
        - 'web-secure'
      middlewares:
        - 'app-replace'
        - 'app-header'
      service: 'app-service'
      rule: 'Host(`ww__om`)'
      tls:
        certResolver: 'le-staging'

  middlewares:
    app-replace:
      replacePathRegex:
        regex: "^/$"
        replacement: "/app/"
    app-header:
      headers:
        sslRedirect: true

  services:
    app-service:
      loadBalancer:
        servers:
        - url: 'http://ip-address:8080'

Hello,

you have mixed dynamic configuration and the static configuration.

The dynamic configuration and the static configuration must be defined in separated files:

• https://docs.traefik.io/v2.1/getting-started/configuration-overview/#the-dynamic-configuration
• https://docs.traefik.io/v2.1/getting-started/configuration-overview/#the-static-configuration

I recommend to read the "Global HTTP to HTTPS redirection": https://docs.traefik.io/v2.1/migration/v1-to-v2/#http-to-https-redirection-is-now-configured-on-routers

Thanks for the reply!

It worked for all my other redirections, except the tomcat one.
It won't even redirect the base url (test.someurl.com) to https now (all the other redirections are still fine).

I changed my configuration and removed the http part from the static file.

My dynamic file is now:

http:

  routers:
    test-router:
      entryPoints:
        - 'web'
        - 'web-secure'
      middlewares:
        - 'test-redirect'
        - 'test-replace'
      service: 'test-service'
      rule: 'Host(`test.someurl.com`)'
      tls:
        certResolver: 'le-production'

  middlewares:
    test-redirect:
      redirectScheme:
        scheme: https
    test-replace:
      replacePathRegex:
        regex: "^/?$"
        replacement: "/kitodo/"

  services:
    test-service:
      loadBalancer:
        servers:
        - url: 'http://10.somedigits.40:8080'

http://test.someurl.com --> 404
https://test.someurl.com --> http://test.vecteur.gbldev.ch/kitodo/pages/login.jsf (also 404)
wat's weird: the /pages/login.jsf got redirected correctly by tomcat

is it possible to add the https to the url on the way back from tomcat to the browser?

you can try something like that:

http:

  routers:
    test-router:
      rule: Host(`test.someurl.com`)
      entryPoints:
        - web
      middlewares:
        - test-redirect
      service: test-service

    test-router:
      rule: Host(`test.someurl.com`)
      entryPoints:
        - web-secure
      middlewares:
        - test-replace
      service: test-service
      tls:
        certResolver: le-production

  middlewares:
    test-redirect:
      redirectScheme:
        scheme: https
    test-replace:
      replacePathRegex:
        regex: ^/?$
        replacement: /kitodo/

  services:
    test-service:
      loadBalancer:
        servers:
        - url: http://10.somedigits.40:8080

Thats not working either...
But the bigger problem is, that the responses are not rewritten to use https.
So even if i manually type in the 'https' i have to do that for every subsequent page i get from tomcat.

It seems https redirect is broken in traefik.
I'll switch back to nginx, at least there i know everything works.

Thanks for your time!

It's not broken, give your configurations (static and dynamic)

I followed your suggestion for global redirection.

static traefik.yaml:

entryPoints:
  web:
    address: ':80'
  web-secure:
    address: ':443'

providers:
  file:
    directory: '/etc/traefik/conf.d'
    watch: true

log:
  level: DEBUG

api:
  insecure: true
  dashboard: true
  debug: true

certificatesResolvers:
  le-staging:
    acme:
      email: {redacted}
      caServer: 'https://acme-staging-v02.api.letsencrypt.org/directory'
      storage: '/etc/traefik/acme.json'
      tlsChallenge: true
  le-production:
    acme:
      email: {redacted}
      storage: '/etc/traefik/acme.json'
      tlsChallenge: true

dynamic https.yaml:

http:

  routers:
    router:
      entryPoints:
        - 'web'
      middlewares:
        - 'redirect'
      rule: 'HostRegexp(`{host:.+}`)'
    service = 'noop'

  middlewares:
    redirect:
      redirectScheme:
        scheme = "https"

  # noop service, the URL will be never called
  services:
    noop:
      loadBalancer:
        servers:
          - url: 'http://192.168.0.1'

dynamic test.yaml:

http:

  routers:
    test-router:
      entryPoints:
        - 'web-secure'
      middlewares:
        - 'test-replace'
        - 'test-header'
      service: 'test-service'
      rule: 'Host(`test.someurl.com`)'
      tls:
        certResolver: 'le-production'

  middlewares:
    test-replace:
      replacePathRegex:
        regex: "^/?$"
        replacement: "/kitodo/"
    test-header:
      headers:
        sslRedirect: true

  services:
    test-service:
      loadBalancer:
        servers:
        - url: 'http://wms:8080'

I could give you the url so you can see the behaviour first hand, but i don't want to post it to the public.

the yaml syntax is invalid in the dynamic file and also the indentation is wrong.

And some others things are wrong.

http:

  routers:
    router:
      rule: HostRegexp(`{host:.+}`)
      entryPoints:
        - web
      middlewares:
        - redirect
      service: noop

  middlewares:
    redirect:
      redirectScheme:
        scheme: https

  # noop service, the URL will be never called
  services:
    noop:
      loadBalancer:
        servers:
          - url: http://192.168.0.1

http:

  routers:
    test-router:
      rule: Host(`test.someurl.com`)
      entryPoints:
        - web-secure
      middlewares:
        - add-kitodo
      service: test-service
      tls:
        certResolver: le-production

  middlewares:
    add-kitodo:
      addPrefix:
        prefix: /kitodo

  services:
    test-service:
      loadBalancer:
        servers:
        - url: http://wms:8080 

I found an error in https.yaml:

    service = 'noop'

I have corrected it, but still no change in its overall behaviour

read my previous post.

I used the addPrefix, but i had problems with that:
The URL gets correctly expanded from test.someurl.com to test.someurl.com/kitodo/pages/login.jsf
But with my regEx solution i see the page with the addPrefix i get an redirect error.
Even if i manually type the full url with https.

Again no https in the response

edit:
thats why the addprefix is not working:
[12/Feb/2020:14:05:17 +0000] "GET /kitodo//kitodo/pages/login.jsf HTTP/1.1" 302 -

I fiddled around yesterday with different versions of traefik and got nowhere.
But as of this morning it - somehow - works.

The static config hasn't changed, below the dynamic config:

http:

  routers:
    wms-router:
      entryPoints:
        - 'web-secure'
      middlewares:
        - 'wms-replace'
      service: 'wms-service'
      rule: 'Host(`wms.someurl.com`)'
      tls:
        certResolver: 'le-production'

  middlewares:
    wms-replace:
      replacePathRegex:
        regex: "^/?$"
        replacement: "/kitodo/"

  services:
    wms-service:
      loadBalancer:
        servers:
        - url: 'http://wms:8080'

Thanks @ldez or yout patience and help