Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Redirect http to https on a per container (per frontend) basis #541

Closed
morvans opened this issue Jul 19, 2016 · 26 comments
Closed

Redirect http to https on a per container (per frontend) basis #541

morvans opened this issue Jul 19, 2016 · 26 comments

Comments

@morvans
Copy link

@morvans morvans commented Jul 19, 2016

It would be great if the ability to automatically redirect http to https could be enabled on a per-container basis using a label.

AFAICT, I don't think there's an issue and/or PR open for that.

@migueleliasweb
Copy link

@migueleliasweb migueleliasweb commented Aug 8, 2016

I was searching exactly for that. Didn't find that too !

@migueleliasweb
Copy link

@migueleliasweb migueleliasweb commented Aug 9, 2016

Context for the answer:

  • In the company I work in we use Marathon as the Traefik provider
  • We are migrating all web apps to be "reversed proxied" by Traefik
  • All our web apps use only http or https. Not both at the same time.

I had no luck finding how to make this work. (I think it's not implemented yet, at least for the Marathon provider)

This is what I tried:

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"

If I configure Traefik like this, all my http traffic gets redirected to https and that I cannot allow because behind my reverse proxy there's multiple domains and some does not have a SSL linked to it.

Some apps use only HTTPS but we could not let Traefik respond a 404 if the user tries to access via HTTP because of some legacy integrations. Currently our nginx servers redirect all HTTP requests to HTTPS.

What I was forced to do to make it work was creating a simple redirect app on Marathon that reads and environment variable and if the requested host meets the criteria, the nginx returns a location header for the https url.

It's a workaround but until the team implements a per-frontend redirect there's no way to make this work directly from Traefik.... =/

@emilevauge
Copy link
Member

@emilevauge emilevauge commented Aug 9, 2016

You can use Marathon labels to connect apps to a specific entrypoint, http or https.

@migueleliasweb
Copy link

@migueleliasweb migueleliasweb commented Aug 9, 2016

Hey @emilevauge I already do this but sadly when I do so the other protocol responds 404 and this breaks some older integrations that still references the old http routes...

Maybe I was not clear about what I did.

The main app (the one that runs the app server) has a "traefik.frontend.entryPoints=https" Label on Marathon, so it only recieves HTTPS requests but I have another app (the nginx redirector) that I can configure through env vars to respond a location from HTTP requests to HTTPS.

If I didn't have the redirector, my app would repond a 404 on HTTPS. That's the caveat.

@morvans
Copy link
Author

@morvans morvans commented Aug 9, 2016

On 09/08/2016 19:03, Emile Vauge wrote:

You can use Marathon labels to connect apps to a specific entrypoint,
http or https.

And is there any trick like this for Docker backend ?

@emilevauge
Copy link
Member

@emilevauge emilevauge commented Aug 9, 2016

@morvans

And is there any trick like this for Docker backend ?

Yep: http://docs.traefik.io/toml/#docker-backend

@emilevauge
Copy link
Member

@emilevauge emilevauge commented Aug 9, 2016

@migueleliasweb, I don't get what you are trying to do exactly here ^^
If you have:

[entryPoints.http.redirect]
      entryPoint = "https"

on your http entrypoint, it will redirect everything on your https, if your frontends are connected to both entrypoints http and https. Otherwise, if a frontend is only connected to http, the redirection will also be made to https, but as the frontend isn't connected to https, you will get a 404.

If you want to have some apps on http and others on https, you should configure traefik with:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"

and use labels to wire your frontends to the desired entrypoint. But you will not get http->https redirection in that case.

@migueleliasweb
Copy link

@migueleliasweb migueleliasweb commented Aug 10, 2016

Hey @emilevauge ! Thanks for being so active !

When you said:

and use labels to wire your frontends to the desired entrypoint. But you will not get http->https redirection in that case.

That's exactly my case. My Traefik serves 3 types of web applications:

  • Some are just HTTP (https requests could recieve 404, no problem)
  • Some are just HTTPS (http requests...well you got it)
  • Some (that's the tricky one) needs to be only HTTPS but the HTTP interface should redirect the requests to the relavite HTTPS urls.

It's all because of the last scenario...

If I wire the last app type to both HTTP and HTTPS, I get some problems due to some legacy users being able to access the app through non secure connections and possibly exposing sensitive data.

On the other hand ff I wire the last app only to HTTPS I get a 404 on HTTP requests (as i mentioned earlier...and that's a huge problem to the company because we need those users).

That's why I had to invent a way to cover this use case by creating a nginx container that redirect all incoming requests from HTTP to HTTPS. Example:

  • The app only listens to HTTPS with "traefik.frontend.entryPoints=https" (Which OK but we have to deal with the non secure requests too).
  • The nginx app listens ONLY to HTTP and returns header locations to the HTTPS domain (and uses the same traefik labels on marathon to configure itself as being the HTTP listener for that Host)

Well I think that's it. =]

EDIT: If there was a way to each frontend have a HTTP and HTTPS independent configurable entrypoint I would use it, but since I didn't found one I had to come up with something =P

@morvans
Copy link
Author

@morvans morvans commented Aug 10, 2016

As the OP, I would like to be a little more specific about my use case. Maybe we need to move some concerns to another issue.
I host several application (containers) on the same Docker host.
The goal is to deploy all application on both http & https but enable the transparent redirection only on a subset of it.
The reason is that some legacy app really wants to manage this redirection or need to be able to serve certain requests on plain HTTP. Also, transparently redirecting sometimes breaks some clients which won't follow 30x codes.
As far as I know, I can't do it (event with labels) for now.
I thought about having 2 pair of endpoints (one pair which redirects and one which do not) and wire my app on one or another accordingly, but it has major drawbacks : I'm forced to allocate x2 more IP address to my hosts (to bind endpoints on them) and I'm forced to configure DNS of the apps differently even if they're all on the same host.
Hope it's a little bit clear here. I think it's a little different from @migueleliasweb use cases.

@migueleliasweb
Copy link

@migueleliasweb migueleliasweb commented Aug 10, 2016

@morvans Your use case and mine are very similar, what differs is the way we solved this issue.

Either way If we could have http to https redirect per frontend both cases would be resolved.

@mcapuccini
Copy link

@mcapuccini mcapuccini commented Sep 14, 2016

@emilevauge I have the same use case as @migueleliasweb, it would be very convenient to have a label e.g. "traefik.http.redirect=https", in order to redirect http requests to https.

@scher200
Copy link

@scher200 scher200 commented Sep 28, 2016

+1 very convenient

@mcapuccini
Copy link

@mcapuccini mcapuccini commented Sep 28, 2016

@emilevauge @scher200 I have to say that running everything on HTTPS it is not too bad after all. There will be some services that don't need encryption over HTTPS, but at least for my use case, it turned out not being such a big deal.

@dky
Copy link

@dky dky commented Oct 13, 2016

+1 on label for http => https support.

@emilevauge
Copy link
Member

@emilevauge emilevauge commented Nov 7, 2016

@mcapuccini I think this is the simplest solution :)
Let's go with this new label traefik.http.redirect=https!

@msuntharesan
Copy link

@msuntharesan msuntharesan commented Feb 13, 2017

Any chance this makes it into v1.2?

@RobertFach
Copy link

@RobertFach RobertFach commented Feb 23, 2017

Hi,
i have the exact same use cases as described by @migueleliasweb . I was looking at the docker interface and have seen that it's not yet implemented. Do you need any help in getting that feature ready? I would really love to see this...

Thx,

@4F2E4A2E
Copy link

@4F2E4A2E 4F2E4A2E commented Mar 11, 2017

Any status on traefik.http.redirect ?

@SvenAbels
Copy link

@SvenAbels SvenAbels commented Mar 23, 2017

+1 from me. Would be great to use such a label as this is a nice feature and the only important one that is not already covered by the docker labels.

@tobiashinz
Copy link

@tobiashinz tobiashinz commented Mar 23, 2017

Will this be available in the near future? The label sounds exactly like what I'd need.

@naftalivanderloon
Copy link

@naftalivanderloon naftalivanderloon commented Mar 29, 2017

+1

1 similar comment
@thotyl
Copy link

@thotyl thotyl commented Mar 31, 2017

+1

@tcolgate
Copy link
Contributor

@tcolgate tcolgate commented Apr 20, 2017

We also need this.
Would it be possible to only redirect if no backend is configured for the frontend perhaps?

@Geek2France
Copy link

@Geek2France Geek2France commented Apr 20, 2017

+1

label traefik.http.redirect=https should be very useful !
I have the same need as migueleliasweb.

@containous containous locked and limited conversation to collaborators Apr 21, 2017
@ldez ldez added the priority/P2 label Apr 21, 2017
@ldez
Copy link
Member

@ldez ldez commented Apr 22, 2017

We understand the importance of the subject.
We will try to work on it as soon as possible.
You're welcome to submit a PR if we don't already created one.

Remember the gentle way to participate:

  • add a "reaction" on the first message of the issue.
  • add more useful and detailed information on the subject.
  • solve the issue by making a PR.
@SantoDE
Copy link
Contributor

@SantoDE SantoDE commented Oct 9, 2017

Hey all,

please have a look at #2133 :)

@traefiker traefiker added this to the 1.5 milestone Nov 18, 2017
@traefiker traefiker closed this Nov 18, 2017
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
You can’t perform that action at this time.