Hi everyone,
I'm using Traefik 2.5 behind an NLB AWS load balancer.
The Traefik service has the following annotations:
service.beta.kubernetes.io/aws-load-balancer-type: nlb
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-proxy-protocol: "*"
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: <arn of AWS certificate>
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "websecure"
service.beta.kubernetes.io/aws-load-balancer-ssl-negotiation-policy: "ELBSecurityPolicy-FS-1-2-Res-2019-08"
Spec section of the Traefik service:
spec:
type: LoadBalancer
selector:
app: traefik
ports:
- protocol: TCP
port: 443
name: websecure
targetPort: 443
- protocol: TCP
port: 80
name: web
Deployment args:
- --entryPoints.web.address=:80
- --entryPoints.websecure.address=:443
- --entryPoints.ssh.proxyProtocol.trustedIPs=127.0.0.1/32, <private subnet ip range>
- --entryPoints.web.proxyProtocol.trustedIPs=127.0.0.1/32,<private subnet ip range>
- --entryPoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,<private subnet ip range>
#permanent redirecting of all requests on http (80) to https (443) using default scheme (https)
- --entryPoints.web.http.redirections.entryPoint.to=websecure
- --entryPoints.web.http.redirections.entryPoint.scheme=https
- --entryPoints.web.http.redirections.entrypoint.permanent=true
#default middleware(s) prepended to each router associated with entry point
- --entryPoints.websecure.http.middlewares=default-traefik-backend-retry@kubernetescrd
- --providers.kubernetesingress
- --providers.kubernetesingress.labelselector=traffic-type=external
- --providers.kubernetescrd
Deployment ports section:
ports:
- name: web
containerPort: 80
- name: websecure
containerPort: 443
Default backend middleware:
kind: Middleware
apiVersion: traefik.containo.us/v1alpha1
metadata:
name: traefik-backend-retry
namespace: default
spec:
retry:
attempts: 3
---
With this configuration if I'm hitting my url with: https://mydomain.com:80 I'm being presented with the default Traefik certificate. However the usual redirection, from http to https works perfectly.
I have tested, to see what is the response on other websites, for example https://youtube.com:80 will present a 204.
I have tried to redirect port 443 to port 80 but I get the error message. I think that the controller doesn't know about the AWS ACM certificate that it is only presented at the service level and when I'm forcing the port 80 on a https:// request I'm correctly getting the default self-signed internal traefik certificate. In this case, would it be an option to present the AWS ACM cert, apply a redirect, or just return the 204 http response?
How do you usually deal with this situation in your environment? Thank you so much!
ovi10nsc