Traefik 2.0 & Kubernetes CRD [Force SSL / Http to Https redirect] How?

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: kube-system
spec:
  redirectScheme:
    scheme: https
    permanent: "true"
    port: 443

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: example.com-ingress
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
  - match: Host(`example.com`)
    kind: Rule
    services:
    - name: example
      port: 80
      namespace: kube-system
  tls:
    certResolver: default
    domains:
    - main: example.com
    sans:
      - www.example.com

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: http-example.com-redirect-to-https
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: HostRegexp(`example\.com`)
      kind: Rule 
      services:
        - name: example
          port: 80
      middlewares:
        - name: redirect-https
          namespace: kube-system

This is my .yaml - Getting a redirect for:

  1. "http://example.com" -> "https://example.com"
    but not:
  2. "example.com" -> "404 page not found"

Actually... what seems to be worse.. I am getting intermittent connection behavior / depending on browser.

How do I just do a solid and reliable force to SSL configuration ??

I want ZERO unencrypted port 80 http requests - I just want them instantly and automatically made SSL 443 https connections.

What is the right Kubernetes .yaml for Traefik v2.1?

Hello,

For curl or browsers when the call to example.com is "rewritten" in http://example.com because an URL without scheme is not really valid, so could you explain how you produce the call to example.com (without scheme)?


You can follow the global redirection pattern explain in https://docs.traefik.io/v2.1/migration/v1-to-v2/#http-to-https-redirection-is-now-configured-on-routers

By typing into bowser bar: www.example.com

People do this in real-life (even if it is not technically valid).

Therefore - how do I catch and route these naked calls in Traefik to the https:// of the naked call?

Do I need to add another catch-all entryPoint perhaps?

As I think the "404 page not found" is a Traefik generated 404 response.

example.com != www.example.com

all the browsers add a hidden scheme (http) by default.

To be clear example.com = http://example.com, it's the same thing.

So I think there is something missing in your explanation.

How should I / can I dig-in a bit deeper to get some logs?

OK... I think it is the redirect isn't working.

So... http://example.com renders 404 error
but ..https://example.com connects Ingress > Service > Pod just fine.

a user typing "example.com" is invoking the port 80 http:// call (fails: 404).

HOW DO I FIX THIS?

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: example.com-ingress
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
  - match: HostRegexp(`{host:(www\.)?}example.com`)
    kind: Rule
    services:
    - name: example
      port: 80
      namespace: kube-system
  tls:
    certResolver: default
    domains:
    - main: example.com
    sans:
      - www.example.com

---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: http-example.com-redirect-to-https
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: HostRegexp(`{host:(www\.)?}example.com`)
      kind: Rule 
      services:
        - name: example
          port: 80
      middlewares:
        - name: redirect-https
          namespace: kube-system

---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: kube-system
spec:
  redirectScheme:
    scheme: https
    permanent: "true"
    port: 443

Ok. this works now.. I have enough information to post a blog post next week.