Redirect http to https on a per container (per frontend) basis #541

Closed
morvans opened this Issue Jul 19, 2016 · 26 comments

Comments

Projects
None yet
@morvans

morvans commented Jul 19, 2016

It would be great if the ability to automatically redirect http to https could be enabled on a per-container basis using a label.

AFAICT, I don't think there's an issue and/or PR open for that.

@migueleliasweb

This comment has been minimized.

Show comment
Hide comment
@migueleliasweb

migueleliasweb Aug 8, 2016

I was searching exactly for that. Didn't find that too !

migueleliasweb commented Aug 8, 2016

I was searching exactly for that. Didn't find that too !

@migueleliasweb

This comment has been minimized.

Show comment
Hide comment
@migueleliasweb

migueleliasweb Aug 9, 2016

Context for the answer:

  • In the company I work in we use Marathon as the Traefik provider
  • We are migrating all web apps to be "reversed proxied" by Traefik
  • All our web apps use only http or https. Not both at the same time.

I had no luck finding how to make this work. (I think it's not implemented yet, at least for the Marathon provider)

This is what I tried:

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"

If I configure Traefik like this, all my http traffic gets redirected to https and that I cannot allow because behind my reverse proxy there's multiple domains and some does not have a SSL linked to it.

Some apps use only HTTPS but we could not let Traefik respond a 404 if the user tries to access via HTTP because of some legacy integrations. Currently our nginx servers redirect all HTTP requests to HTTPS.

What I was forced to do to make it work was creating a simple redirect app on Marathon that reads and environment variable and if the requested host meets the criteria, the nginx returns a location header for the https url.

It's a workaround but until the team implements a per-frontend redirect there's no way to make this work directly from Traefik.... =/

Context for the answer:

  • In the company I work in we use Marathon as the Traefik provider
  • We are migrating all web apps to be "reversed proxied" by Traefik
  • All our web apps use only http or https. Not both at the same time.

I had no luck finding how to make this work. (I think it's not implemented yet, at least for the Marathon provider)

This is what I tried:

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"

If I configure Traefik like this, all my http traffic gets redirected to https and that I cannot allow because behind my reverse proxy there's multiple domains and some does not have a SSL linked to it.

Some apps use only HTTPS but we could not let Traefik respond a 404 if the user tries to access via HTTP because of some legacy integrations. Currently our nginx servers redirect all HTTP requests to HTTPS.

What I was forced to do to make it work was creating a simple redirect app on Marathon that reads and environment variable and if the requested host meets the criteria, the nginx returns a location header for the https url.

It's a workaround but until the team implements a per-frontend redirect there's no way to make this work directly from Traefik.... =/

@emilevauge

This comment has been minimized.

Show comment
Hide comment
@emilevauge

emilevauge Aug 9, 2016

Member

You can use Marathon labels to connect apps to a specific entrypoint, http or https.

Member

emilevauge commented Aug 9, 2016

You can use Marathon labels to connect apps to a specific entrypoint, http or https.

@migueleliasweb

This comment has been minimized.

Show comment
Hide comment
@migueleliasweb

migueleliasweb Aug 9, 2016

Hey @emilevauge I already do this but sadly when I do so the other protocol responds 404 and this breaks some older integrations that still references the old http routes...

Maybe I was not clear about what I did.

The main app (the one that runs the app server) has a "traefik.frontend.entryPoints=https" Label on Marathon, so it only recieves HTTPS requests but I have another app (the nginx redirector) that I can configure through env vars to respond a location from HTTP requests to HTTPS.

If I didn't have the redirector, my app would repond a 404 on HTTPS. That's the caveat.

Hey @emilevauge I already do this but sadly when I do so the other protocol responds 404 and this breaks some older integrations that still references the old http routes...

Maybe I was not clear about what I did.

The main app (the one that runs the app server) has a "traefik.frontend.entryPoints=https" Label on Marathon, so it only recieves HTTPS requests but I have another app (the nginx redirector) that I can configure through env vars to respond a location from HTTP requests to HTTPS.

If I didn't have the redirector, my app would repond a 404 on HTTPS. That's the caveat.

@morvans

This comment has been minimized.

Show comment
Hide comment
@morvans

morvans Aug 9, 2016

On 09/08/2016 19:03, Emile Vauge wrote:

You can use Marathon labels to connect apps to a specific entrypoint,
http or https.

And is there any trick like this for Docker backend ?

morvans commented Aug 9, 2016

On 09/08/2016 19:03, Emile Vauge wrote:

You can use Marathon labels to connect apps to a specific entrypoint,
http or https.

And is there any trick like this for Docker backend ?

@emilevauge

This comment has been minimized.

Show comment
Hide comment
@emilevauge

emilevauge Aug 9, 2016

Member

@morvans

And is there any trick like this for Docker backend ?

Yep: http://docs.traefik.io/toml/#docker-backend

Member

emilevauge commented Aug 9, 2016

@morvans

And is there any trick like this for Docker backend ?

Yep: http://docs.traefik.io/toml/#docker-backend

@emilevauge

This comment has been minimized.

Show comment
Hide comment
@emilevauge

emilevauge Aug 9, 2016

Member

@migueleliasweb, I don't get what you are trying to do exactly here ^^
If you have:

[entryPoints.http.redirect]
      entryPoint = "https"

on your http entrypoint, it will redirect everything on your https, if your frontends are connected to both entrypoints http and https. Otherwise, if a frontend is only connected to http, the redirection will also be made to https, but as the frontend isn't connected to https, you will get a 404.

If you want to have some apps on http and others on https, you should configure traefik with:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"

and use labels to wire your frontends to the desired entrypoint. But you will not get http->https redirection in that case.

Member

emilevauge commented Aug 9, 2016

@migueleliasweb, I don't get what you are trying to do exactly here ^^
If you have:

[entryPoints.http.redirect]
      entryPoint = "https"

on your http entrypoint, it will redirect everything on your https, if your frontends are connected to both entrypoints http and https. Otherwise, if a frontend is only connected to http, the redirection will also be made to https, but as the frontend isn't connected to https, you will get a 404.

If you want to have some apps on http and others on https, you should configure traefik with:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"

and use labels to wire your frontends to the desired entrypoint. But you will not get http->https redirection in that case.

@migueleliasweb

This comment has been minimized.

Show comment
Hide comment
@migueleliasweb

migueleliasweb Aug 10, 2016

Hey @emilevauge ! Thanks for being so active !

When you said:

and use labels to wire your frontends to the desired entrypoint. But you will not get http->https redirection in that case.

That's exactly my case. My Traefik serves 3 types of web applications:

  • Some are just HTTP (https requests could recieve 404, no problem)
  • Some are just HTTPS (http requests...well you got it)
  • Some (that's the tricky one) needs to be only HTTPS but the HTTP interface should redirect the requests to the relavite HTTPS urls.

It's all because of the last scenario...

If I wire the last app type to both HTTP and HTTPS, I get some problems due to some legacy users being able to access the app through non secure connections and possibly exposing sensitive data.

On the other hand ff I wire the last app only to HTTPS I get a 404 on HTTP requests (as i mentioned earlier...and that's a huge problem to the company because we need those users).

That's why I had to invent a way to cover this use case by creating a nginx container that redirect all incoming requests from HTTP to HTTPS. Example:

  • The app only listens to HTTPS with "traefik.frontend.entryPoints=https" (Which OK but we have to deal with the non secure requests too).
  • The nginx app listens ONLY to HTTP and returns header locations to the HTTPS domain (and uses the same traefik labels on marathon to configure itself as being the HTTP listener for that Host)

Well I think that's it. =]

EDIT: If there was a way to each frontend have a HTTP and HTTPS independent configurable entrypoint I would use it, but since I didn't found one I had to come up with something =P

migueleliasweb commented Aug 10, 2016

Hey @emilevauge ! Thanks for being so active !

When you said:

and use labels to wire your frontends to the desired entrypoint. But you will not get http->https redirection in that case.

That's exactly my case. My Traefik serves 3 types of web applications:

  • Some are just HTTP (https requests could recieve 404, no problem)
  • Some are just HTTPS (http requests...well you got it)
  • Some (that's the tricky one) needs to be only HTTPS but the HTTP interface should redirect the requests to the relavite HTTPS urls.

It's all because of the last scenario...

If I wire the last app type to both HTTP and HTTPS, I get some problems due to some legacy users being able to access the app through non secure connections and possibly exposing sensitive data.

On the other hand ff I wire the last app only to HTTPS I get a 404 on HTTP requests (as i mentioned earlier...and that's a huge problem to the company because we need those users).

That's why I had to invent a way to cover this use case by creating a nginx container that redirect all incoming requests from HTTP to HTTPS. Example:

  • The app only listens to HTTPS with "traefik.frontend.entryPoints=https" (Which OK but we have to deal with the non secure requests too).
  • The nginx app listens ONLY to HTTP and returns header locations to the HTTPS domain (and uses the same traefik labels on marathon to configure itself as being the HTTP listener for that Host)

Well I think that's it. =]

EDIT: If there was a way to each frontend have a HTTP and HTTPS independent configurable entrypoint I would use it, but since I didn't found one I had to come up with something =P

@morvans

This comment has been minimized.

Show comment
Hide comment
@morvans

morvans Aug 10, 2016

As the OP, I would like to be a little more specific about my use case. Maybe we need to move some concerns to another issue.
I host several application (containers) on the same Docker host.
The goal is to deploy all application on both http & https but enable the transparent redirection only on a subset of it.
The reason is that some legacy app really wants to manage this redirection or need to be able to serve certain requests on plain HTTP. Also, transparently redirecting sometimes breaks some clients which won't follow 30x codes.
As far as I know, I can't do it (event with labels) for now.
I thought about having 2 pair of endpoints (one pair which redirects and one which do not) and wire my app on one or another accordingly, but it has major drawbacks : I'm forced to allocate x2 more IP address to my hosts (to bind endpoints on them) and I'm forced to configure DNS of the apps differently even if they're all on the same host.
Hope it's a little bit clear here. I think it's a little different from @migueleliasweb use cases.

morvans commented Aug 10, 2016

As the OP, I would like to be a little more specific about my use case. Maybe we need to move some concerns to another issue.
I host several application (containers) on the same Docker host.
The goal is to deploy all application on both http & https but enable the transparent redirection only on a subset of it.
The reason is that some legacy app really wants to manage this redirection or need to be able to serve certain requests on plain HTTP. Also, transparently redirecting sometimes breaks some clients which won't follow 30x codes.
As far as I know, I can't do it (event with labels) for now.
I thought about having 2 pair of endpoints (one pair which redirects and one which do not) and wire my app on one or another accordingly, but it has major drawbacks : I'm forced to allocate x2 more IP address to my hosts (to bind endpoints on them) and I'm forced to configure DNS of the apps differently even if they're all on the same host.
Hope it's a little bit clear here. I think it's a little different from @migueleliasweb use cases.

@migueleliasweb

This comment has been minimized.

Show comment
Hide comment
@migueleliasweb

migueleliasweb Aug 10, 2016

@morvans Your use case and mine are very similar, what differs is the way we solved this issue.

Either way If we could have http to https redirect per frontend both cases would be resolved.

@morvans Your use case and mine are very similar, what differs is the way we solved this issue.

Either way If we could have http to https redirect per frontend both cases would be resolved.

@mcapuccini

This comment has been minimized.

Show comment
Hide comment
@mcapuccini

mcapuccini Sep 14, 2016

@emilevauge I have the same use case as @migueleliasweb, it would be very convenient to have a label e.g. "traefik.http.redirect=https", in order to redirect http requests to https.

@emilevauge I have the same use case as @migueleliasweb, it would be very convenient to have a label e.g. "traefik.http.redirect=https", in order to redirect http requests to https.

@scher200

This comment has been minimized.

Show comment
Hide comment
@scher200

scher200 Sep 28, 2016

+1 very convenient

+1 very convenient

@mcapuccini

This comment has been minimized.

Show comment
Hide comment
@mcapuccini

mcapuccini Sep 28, 2016

@emilevauge @scher200 I have to say that running everything on HTTPS it is not too bad after all. There will be some services that don't need encryption over HTTPS, but at least for my use case, it turned out not being such a big deal.

@emilevauge @scher200 I have to say that running everything on HTTPS it is not too bad after all. There will be some services that don't need encryption over HTTPS, but at least for my use case, it turned out not being such a big deal.

@dky

This comment has been minimized.

Show comment
Hide comment
@dky

dky Oct 13, 2016

+1 on label for http => https support.

dky commented Oct 13, 2016

+1 on label for http => https support.

@emilevauge

This comment has been minimized.

Show comment
Hide comment
@emilevauge

emilevauge Nov 7, 2016

Member

@mcapuccini I think this is the simplest solution :)
Let's go with this new label traefik.http.redirect=https!

Member

emilevauge commented Nov 7, 2016

@mcapuccini I think this is the simplest solution :)
Let's go with this new label traefik.http.redirect=https!

@vanthiyathevan

This comment has been minimized.

Show comment
Hide comment
@vanthiyathevan

vanthiyathevan Feb 13, 2017

Any chance this makes it into v1.2?

Any chance this makes it into v1.2?

@RobertFach

This comment has been minimized.

Show comment
Hide comment
@RobertFach

RobertFach Feb 23, 2017

Hi,
i have the exact same use cases as described by @migueleliasweb . I was looking at the docker interface and have seen that it's not yet implemented. Do you need any help in getting that feature ready? I would really love to see this...

Thx,

Hi,
i have the exact same use cases as described by @migueleliasweb . I was looking at the docker interface and have seen that it's not yet implemented. Do you need any help in getting that feature ready? I would really love to see this...

Thx,

@4F2E4A2E

This comment has been minimized.

Show comment
Hide comment
@4F2E4A2E

4F2E4A2E Mar 11, 2017

Any status on traefik.http.redirect ?

Any status on traefik.http.redirect ?

@SvenAbels

This comment has been minimized.

Show comment
Hide comment
@SvenAbels

SvenAbels Mar 23, 2017

+1 from me. Would be great to use such a label as this is a nice feature and the only important one that is not already covered by the docker labels.

+1 from me. Would be great to use such a label as this is a nice feature and the only important one that is not already covered by the docker labels.

@tobiashinz

This comment has been minimized.

Show comment
Hide comment
@tobiashinz

tobiashinz Mar 23, 2017

Will this be available in the near future? The label sounds exactly like what I'd need.

Will this be available in the near future? The label sounds exactly like what I'd need.

@naftalivanderloon

This comment has been minimized.

Show comment
Hide comment

+1

@thotyl

This comment has been minimized.

Show comment
Hide comment

thotyl commented Mar 31, 2017

+1

@tcolgate

This comment has been minimized.

Show comment
Hide comment
@tcolgate

tcolgate Apr 20, 2017

Contributor

We also need this.
Would it be possible to only redirect if no backend is configured for the frontend perhaps?

Contributor

tcolgate commented Apr 20, 2017

We also need this.
Would it be possible to only redirect if no backend is configured for the frontend perhaps?

@Geek2France

This comment has been minimized.

Show comment
Hide comment
@Geek2France

Geek2France Apr 20, 2017

+1

label traefik.http.redirect=https should be very useful !
I have the same need as migueleliasweb.

+1

label traefik.http.redirect=https should be very useful !
I have the same need as migueleliasweb.

@containous containous locked and limited conversation to collaborators Apr 21, 2017

@ldez ldez added the priority/P2 label Apr 21, 2017

@ldez

This comment has been minimized.

Show comment
Hide comment
@ldez

ldez Apr 22, 2017

Member

We understand the importance of the subject.
We will try to work on it as soon as possible.
You're welcome to submit a PR if we don't already created one.

Remember the gentle way to participate:

  • add a "reaction" on the first message of the issue.
  • add more useful and detailed information on the subject.
  • solve the issue by making a PR.
Member

ldez commented Apr 22, 2017

We understand the importance of the subject.
We will try to work on it as soon as possible.
You're welcome to submit a PR if we don't already created one.

Remember the gentle way to participate:

  • add a "reaction" on the first message of the issue.
  • add more useful and detailed information on the subject.
  • solve the issue by making a PR.
@SantoDE

This comment has been minimized.

Show comment
Hide comment
@SantoDE

SantoDE Oct 9, 2017

Contributor

Hey all,

please have a look at #2133 :)

Contributor

SantoDE commented Oct 9, 2017

Hey all,

please have a look at #2133 :)

@traefiker traefiker added this to the 1.5 milestone Nov 18, 2017

@traefiker traefiker closed this Nov 18, 2017

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.