I have the below config file that I am using to load balance my application. HTTPS is working fine, but there are some parts of the application that still produce a 302/301 response and the application breaks. I have been able to find a work around with HAProxy, but I cannot seem to make it work with Traefik. As you can tell I have tried a few things below and it either breaks altogether or doens't work.
http:
#region routers
routers:
app-rtr:
entryPoints:
- https
- http
# https:
# address: ":443"
# http:
# address: ":80"
# http:
# redirections:
# entryPoint:
# to: https
# schema: https
rule: "Host(`services.domain.io`)"
middlewares:
# - redirect
# - https-redirectscheme
- middlewares-compress
tls:
certResolver: "cf"
domains:
- main: "services.neotericservices.io"
service: app
#endregion
#region services
services:
app:
loadBalancer:
healthCheck:
path: /health
interval: "10s"
timeout: "5s"
scheme: http
sticky:
cookie: {}
servers:
- url: "http://172.16.9.90:16005"
- url: "http://172.16.9.90:16006"
- url: "http://172.16.9.91:16009"
- url: "http://172.16.9.91:16010"
- url: "http://172.16.9.93:16007"
- url: "http://172.16.9.93:16008"
passHostHeader: true
#endregion
middlewares:
redirect:
redirectRegex:
regex: "^http://*(services.domain.io)(.*)"
replacement: "https://$1$2"
permanent: true
https-redirectscheme:
redirectScheme:
scheme: https
permanent: true
Can you share your static and dynamic Traefik configuration? Any docker-compose.yml? Do you use latest Traefik v2.9?
You should identify what is causing the redirects (301, 302) and to which page it redirects. Is it just from http to https or to another page? Use your browserâs developer tools networking tab.
I am currently running v2.9.4. The only file I have static is the traefik.yml file, below.
global:
checkNewVersion: true
sendAnonymousUsage: true
pilot:
token: "0basdfasdfasba714c6"
serversTransport:
insecureSkipVerify: true
certificatesResolvers:
cf:
acme:
email: "email@email.com"
storage: "acme.json"
dnsChallenge:
provider: "cloudflare"
delayBeforeCheck: 90
resolvers: "1.1.1.1:53"
metrics:
prometheus: {}
log:
level: DEBUG
filePath: "/logs/logs.log"
format: json
accessLog:
filePath: "/traefik.log"
bufferingSize: 100
api:
insecure: true
dashboard: true
providers:
file:
directory: "/rules"
watch: true
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
network: t2_proxy
swarmMode: false
entryPoints:
http:
address: ":80"
https:
address: ":443"
http:
tls:
certResolver: cf
domains:
- main: "something.com"
sans:
- "*.something.com"
Here is my docker-compose file.
traefik:
container_name: traefik2
image: traefik:latest
restart: unless-stopped
networks:
- t2_proxy
ports:
- "443:443"
- "80:80"
- "8080:8080"
environment:
- "CF_API_EMAIL=email@email.com"
- "CF_DNS_API_TOKEN=afdasdfasfas"
- "CF_ZONE_API_TOKEN=asdfadadfadsfas"
volumes:
- "/var/run/docker.sock:/var/run/docker.sock:ro"
- "/mnt/docker-data/traefik2/:/etc/traefik/:rw"
- "/mnt/docker-data/shared/:/shared:rw"
- "/mnt/docker-data/traefik2/rules:/rules:rw"
- "/mnt/docker-data/traefik2/acme/acme.json:/acme.json:rw"
- "/mnt/docker-data/traefik2/traefik.log:/traefik.log:rw"
- "/mnt/docker-data/traefik2/logs:/logs"
labels:
- "traefik.enable=true"
- "traefik.backend=traefik"
- "traefik.frontend.headers.SSLHost=something.com"
- "traefik.frontend.auth.basic.usersFile=/shared/.htpasswd"
- "traefik.http.routers.traefik-rtr.rule=HostHeader(`traefik.something.com`)"
- "raefik.http.routers.traefik-rtr.service=api@internal"
- "traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file"
- "traefik.http.routers.traefik-rtr.tls.certresolver=cf"
- "traefik.http.routers.traefik-rtr.tls.domains[0].main=traefik.something.com"
- "traefik.http.routers.traefik-rtr.tls=true"
- "traefik.frontend.rule=Host:traefik.something.com"
- "traefik.http.routers.http-catchall.entrypoints=http"
- "traefik.http.routers.http-catchall.rule=HostRegexp(`{host: +}`)"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.docker.network=bridge"
- "traefik.frontend.headers.SSLRedirect=true"
- "traefik.frontend.headers.STSSeconds=315360000"
- "traefik.frontend.headers.browserXSSFilter=true"
- "traefik.frontend.headers.contentTypeNosniff=true"
- "traefik.frontend.headers.forceSTSHeader=true"
- "traefik.frontend.headers.STSIncludeSubdomains=true"
- "traefik.frontend.headers.STSPreload=true"
- "traefik.frontend.headers.frameDeny=true"
@bluepuma77 I was able to get the http-to-https to work on the initial request. I found out that the application has mixed content. So the initial request get redirected to HTTPS just fine. However, some responses from the server are in HTTP. How would I configure Traefik to modify the outgoing response to the client to replace HTTP with HTTPS?
The problem is that your browser fetched a page with https, but it includes links to http.
Options:
-
ensure header X-Forwarded-Proto=https and hope you application uses it
(this is usually set by Traefik, you can use a whoami container to check your headers)
-
configure your app to return correct https protocol links in general
-
have a look at rewriteBody plugin
@bluepuma77 I have this working in nginx just fine where I rewrite the host to replace http with https on the response side. The problem isn't the application, because I have the redirect to https working now. The problem is the respond the application gives is in http. The browser blocks mixed content and breaks the application. Unfortunately, I have no control over the application itself.
I did take a look a rewriteBody plugin, but it wasn't clear if it could rewrite the host response. If the plugin can rewrite the host uri then they might be an option. However, the documentation and its capabilities is not ideal.
Your config labels do not seem clean, there is stuff from v1 in there and a "t" is missing.
I assume you let Traefik be accessed with https? How do your forward the requests?
If you want to rewrite everything to https, you can just use:
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: :443
If it's working with nginx, then I would just compare the headers it sends to your application. Maybe replace your application with whoami to see all headers. Then you just set the same headers with Traefik.