What is the correct way to redirect from http->https when interfacing with Cloudflare Tunnels + Docker?

:wave:

Found Traefik not too long ago and decided to start playing with it yesterday; it's kinda been a rollercoaster of Google searches haha.

Anyways, I'm mostly set up at this point, but one of the weirder issues I've got left to kind of figure out is how to handle the http->https redirection as correctly, if I try anything, one of two things happens

  • I get a 404
  • My browser responds with a message suggesting the redirect failed somehow.

From what I've seen there are a few ways to handle the redirect

  • using a middleware
       traefik.http.middlewares.<middleware name>.redirectscheme.scheme=https
       traefik.http.middlewares.<middleware name>.redirectscheme.permanent=true
       traefik.http.routers.<route name>.middlewares=<middleware name>

(I have seen people use the above in conjunction with declaring 2 separate http and https routes but that doesn't seem to work either)

  • using an explicit (global?) redirect when setting up
     - --entrypoints.<entry point name>.http.redirections.entrypoint.to=<https entrypoint name>
     - --entrypoints.<entrypoint name>.http.redirections.entrypoint.scheme=https

(sorry for the mix up in syntaxes, assume all of this is in the compose file)

In conjunction with the above, I have seen configs that tell a service to use a particular entry point like so

traefik.http.routers.<route name>.entrypoints=<https entry point>

which also causes one of the above issues.

I am finding that, with Tunnels at least, redirects are causing issues. If I remove the redirect instructions, things seem to work and as far as I can tell, are connecting via https.

I was hoping someone more experienced than me could try to explain what is/isn't necessary. I've seen a couple of tunnel focused configs do explicit redirects somehow so I'm not sure what the correct way of handling things is. Everything else like cert generation seems to be working.

I can cobble together a sample config if this isn't enough to go on.

EDIT: It seems that adding

--entrypoints.<endpoint>.forwardedHeaders.insecure=true

does the trick and fixes things. That said, I'm kind of curious what's going on behind the scenes; based on the name alone and from what I understand of the function, it's not necessarily a great idea to enable?(though in this case it might not matter since we know the traffic is coming from cloudflare)

Thank you!

I would think it mainly depends on how you setup your tunnel. You should forward ports 80->80 and 443->443, then Traefik should just work.

Personally I prefer Traefik redirect globally on http entrypoint.

Right, I understand everyone might have different setups, I'm just trying to make sure I did the basics right first before moving on.

Project is just a simple home server to host a couple personal projects, with Traefik as the reverse proxy. On the CF side, I have a route pointing to localhost on the machine with Traefik and CF Tunnels(cloudflared docker image) setup. Currently forwarding both ports and like I mentioned, things do technically work

I guess I'm just trying to figure out if I'm overlooking anything and missing something I ought to be doing; while I am able to access my services using https, I've seen some configs that suggest some kind of redirection is still necessary so it's a little confusing what the set up should "technically" look like.