New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Wrong behaviour of HTTP -> HTTPS redirect with PathPrefixStrip annotation #1957

Closed
kachkaev opened this Issue Aug 15, 2017 · 20 comments

Comments

@kachkaev
Contributor

kachkaev commented Aug 15, 2017

Do you want to request a feature or report a bug?

bug

What did you do?

I'm using traefik as a kubernetes ingress controller. HTTPS is enforced by default so all the HTTP requests respond with 302 -> HTTPS. All works fine except one case: when I annotate a service with traefik.frontend.rule.type: PathPrefixStrip, the path gets lost during the redirect.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
    traefik.frontend.rule.type: PathPrefixStrip
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /path-prefix-strip-service/
        backend:
          serviceName: my-service
          servicePort: http

What did you expect to see?

url entered 302 to
http://example.com/ https://example.com/
http://example.com/path-prefix-strip-service/ https://example.com/path-prefix-strip-service/
http://example.com/any-other-path/ https://example.com/any-other-path/

What did you see instead?

url entered 302 to
http://example.com/ https://example.com/
http://example.com/path-prefix-strip-service/ https://example.com/ ⚠️
http://example.com/any-other-path/ https://example.com/any-other-path/

Output of traefik version: (What version of Traefik are you using?)

1.3.5

I was also able to reproduce this on one more pretty different cluster with Traefik 1.3.4.

What is your environment & configuration (arguments, toml, provider, platform, ...)?

Official helm chart, latest version.

@ArcticDolphin

This comment has been minimized.

ArcticDolphin commented Aug 16, 2017

I am also experiencing this behaviour on version 1.3.5.

@kachkaev

This comment has been minimized.

Contributor

kachkaev commented Aug 26, 2017

Could anyone else confirm the bug please? Would be great to see the fix in a patch release or in 1.4. This bug does not allow for keeping multiple apps on the same domain in production because the customers do not land where there should if they type a url without https.

@ldez

This comment has been minimized.

Member

ldez commented Aug 26, 2017

@kachkaev We are a very small team, we have ~280 open issues :

  • 15 kind/bug/confirmed
  • ~50 kind/bug/possible
  • ~30 status/0-needs-triage

We also add new features, answer to support questions and more.

Even if I confirm, this bug will not be fixed like that.

This project is open source, anyone can participate by opening a PR.

Seems to be a duplicate of #1272

@kachkaev

This comment has been minimized.

Contributor

kachkaev commented Aug 26, 2017

Thanks for your reply @ldez. I understand that traefik is a non-profit opensource project and I really appreciate your team's hard work on it. I just wanted someone else in the community to check if my and @ArcticDolphin's observations are valid to make sure it's not just an issue of us doing something wrong.

I'd be happy to try fixing the bug myself, but unfortunately I have zero experience in go, so this does not sound doable. I'm trying to help by keeping traefik version in its official helm chart up to date, but understand that it's a very modest contribution compared to what you guys do here :–)

Not sure this issue is the same as #1272. The problem mentioned there concerns the behaviour of the containrs behind traefik, but here the thing is fully internal. A redirect from http to https is done based on the config and I believe that there's just some path trimming going on in the wrong place. However, I can't even find where exactly the problem is in the code (although I tried).

Thanks for the time that you put into traefik (especially on weekends) 😉

@1ambda

This comment has been minimized.

1ambda commented Oct 28, 2017

I have the same problem in v 1.4.0

defaultEntryPoints = ["http", "https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    ...
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cheeses
  annotations:
    traefik.frontend.rule.type: PathPrefixStrip
spec:
  rules:
  - host: dev.our-domain.io
    http:
      paths:
      - path: /stilton
        backend:
          serviceName: stilton
          servicePort: http
      - path: /cheddar
        backend:
          serviceName: cheddar
          servicePort: http
      - path: /wensleydale
        backend:
          serviceName: wensleydale
          servicePort: http
@sunghospark

This comment has been minimized.

sunghospark commented Nov 14, 2017

Seeing the same behavior in 1.4.1 as well

@kachkaev

This comment has been minimized.

Contributor

kachkaev commented Nov 30, 2017

Still observing this issue in 1.5.0-rc.1.

@hrajchert

This comment has been minimized.

hrajchert commented Dec 21, 2017

I have the same problem on Docker Image version traefik:1.4-alpine@sha256:9b02a25ffd77e058738f452c8d9b17c4514e5d4c543965ee1bbbee900f092fc2

@dpavanelli

This comment has been minimized.

dpavanelli commented Jan 19, 2018

Hi @nmengin. Is there any news about this issue?

@nmengin

This comment has been minimized.

Member

nmengin commented Jan 22, 2018

Hello @dpavanelli,

I investigated a little and found the problem.
It's due to the workflow. Indeed the PathPrefixStrip middleware is called before the Redirect one that's why the problem appears.

I have to find a solution which has to be more generic as possible and wich will not introduce regression (of course).
I'll do this ASAP but, for now, it's difficult to give you a deadline...

WIP 😉

@schoren

This comment has been minimized.

schoren commented Jan 26, 2018

Hello @nmengin, I have been debugging the same bug, but with AddPrefix (#2024). I'm not familiar enough with the design of Traefik, so it's hard for me to propose such a big change, but I will be glad to help you with this fix. Let me know if I can be of an assistance

@Miouge1

This comment has been minimized.

Contributor

Miouge1 commented Jan 29, 2018

I ran into this problem with 1.5.0. I worked around the issue by setting the using HTTPS as the main entry point, then adding File frontend for the HTTP entry point, that way the PathPrefixStrip does not apply on the HTTP entry point.

This is an example:

# HTTP to HTTPS config
defaultEntryPoints = ["https"]
[file]
[backends]
  [backends.http-only]
[frontends]
  [frontends.http-only]
  entrypoints = ["http"]
  backend = "http-only"
@cdyue

This comment has been minimized.

cdyue commented Feb 7, 2018

same issue in 1.5.1

@stepan-romankov

This comment has been minimized.

stepan-romankov commented Mar 22, 2018

@Miouge1 your solution works like a magic. Suppose this bug will be fixed and no-one will spend hours trying to find it like me :( !

@jbdoumenjou Any idea when this can be fixed?

@kachkaev

This comment has been minimized.

Contributor

kachkaev commented Apr 11, 2018

@Miouge1 many thanks for sharing a workaround! Do you know if it can be crafted just by using traefik command line options? I'm starting traefik without any tomls like this in one of my environments:

    docker run \
      --detach \
      --publish 80:80 \
      --publish 443:443 \
      --publish 48080:48080 \
      --mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
      --network traefik \
      --name traefik \
      --restart always \
      --volume /etc/traefik/acme:/etc/traefik/acme \
      traefik:v1.5-alpine \
      --acme=true \
      --acme.acmelogging \
      --acme.email=mail@example.com \
      --acme.entrypoint=https \
      --acme.httpChallenge=true \
      --acme.httpChallenge.entryPoint=http \
      --acme.onhostrule=true \
      --acme.storage=/etc/traefik/acme/acme.json \
      --docker \
      --docker.watch \
      --docker.exposedbydefault=false \
      --defaultEntryPoints=http,https \
      --entryPoints="Name:http Address::80 Redirect.EntryPoint:https" \
      --entryPoints="Name:https Address::443 TLS" \
      --web \
      --web.address=:48080 \
      --web.readonly=true \
      --web.statistics=true \
      --web.statistics.recenterrors=200

Curious to know if I can replace these two like with something that would apply a workaround.

      --entryPoints="Name:http Address::80 Redirect.EntryPoint:https" \
      --entryPoints="Name:https Address::443 TLS" \

No luck after about an hour of trying 😅

@Miouge1

This comment has been minimized.

Contributor

Miouge1 commented Apr 17, 2018

@kachkaev it's not possible to set frontends and backends via CLI arguments, so a config file is needed.

@conrallendale

This comment has been minimized.

conrallendale commented Jun 15, 2018

Same problem here. Don't ask me why, but if you explicitly put port 80 on the frontend, it works, like magic.

@SvenDowideit

This comment has been minimized.

SvenDowideit commented Jul 3, 2018

aha, same issue here :/

@SvenDowideit

This comment has been minimized.

SvenDowideit commented Jul 3, 2018

My workaround is to have all my real endpoints do https only, and then to define one http endpoint that uses PathPrefix:/ to always redirect - it basically means any http request to any host / path is redirected to https, and then the relevant service / traefik can 404 it

ie, in compose using a docker swarm:

  dummy:
    image: nginx
    networks:
      - infra_traefik
    deploy:
      labels:
        traefik.docker.network: infra_traefik
        traefik.port: 80
        traefik.frontend.rule: PathPrefix:/
        traefik.frontend.passHostHeader: "true"
        traefik.frontend.entryPoints: http
        traefik.frontend.redirect.entryPoint: https
@traefiker

This comment has been minimized.

traefiker commented Jul 31, 2018

Closed by #3631.

@traefiker traefiker added this to the 1.7 milestone Jul 31, 2018

@traefiker traefiker closed this Jul 31, 2018

sagikazarmark added a commit to banzaicloud/banzai-charts that referenced this issue Oct 19, 2018

Replace builtin SSL redirection with manual one
As outlined in this (containous/traefik#1957)
issue SSL redirection with PathPrefixStrip does not work really well.

A solution was provided in this (containous/traefik#3631) PR,
released in 1.7, but it didn't really solve the issue.

In fact, there were several subsequent issues opened
(containous/traefik#3999, containous/traefik#3876)
but they got closed.

Another issue was opened in the Traefik repo: containous/traefik#4085

Until then this workaround provides the same functionality.

ahma added a commit to banzaicloud/banzai-charts that referenced this issue Oct 21, 2018

Replace builtin SSL redirection with manual one (#415)
As outlined in this (containous/traefik#1957)
issue SSL redirection with PathPrefixStrip does not work really well.

A solution was provided in this (containous/traefik#3631) PR,
released in 1.7, but it didn't really solve the issue.

In fact, there were several subsequent issues opened
(containous/traefik#3999, containous/traefik#3876)
but they got closed.

Another issue was opened in the Traefik repo: containous/traefik#4085

Until then this workaround provides the same functionality.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment