Not able to redirect from http to https

[zeroone-shreeram]

is there any trick i can do to make http to https redirect work?

added --entrypoints.web.http.redirections.entryPoint.scheme=https in additionalArguments but it didn't work.

but when i add these two arguments while deployment from helm chart:
--entrypoints.web.http.redirections.entryPoint.to=websecure --entrypoints.websecure.http.tls.certResolver=default

but when i browsed the URL it redirected me to example.com:8443/tpc.

is this a bug in traefik ingress controller or am i m doing it wrong?

[SantoDE]

Can you post your whole configuration files please?

[akhfa]

Hi

Can you post your whole configuration files please?

I think I can answer this question because I see same additional /tcp path when redirecting into https

I install traefik using helm, listen port 80 and 443. This is my helm values version 8.9.0

additionalArguments:
  - "--providers.kubernetesingress.ingressclass=some-ingress-classname"
  - "--certificatesresolvers.letsprod.acme.tlschallenge=true"
  - "--certificatesresolvers.letsprod.acme.email=someemail@gmail.com"
  - "--entryPoints.web.http.redirections.entryPoint.to=websecure"
  - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
ingressRoute:
  dashboard:
    enabled: false
rollingUpdate:
  maxUnavailable: 1
  maxSurge: 0
hostNetwork: true
persistence:
  enabled: true
ports:
  web:
    port: 80
    hostPort: 80
  websecure:
    port: 443
    hostPort: 443
rbac:
  namespaced: true
securityContext: null

And then I deploy adminer by using helm chart https://cetic.github.io/helm-charts latest version, with this values

service:
  type: ClusterIP
ingress:
  enabled: true
  annotations:
    kubernetes.io/ingress.class: some-ingress-classname
    traefik.ingress.kubernetes.io/router.tls.certresolver: letsprod
  hosts:
    - somedomain.com
resources:
  limits:
    cpu: 100m
    memory: 128Mi

After I hit the domain, this is the result

$ curl -I somedomain.com
HTTP/1.1 308 Permanent Redirect
Location: https://somedomain.com:443/tcp/
Date: Fri, 10 Jul 2020 12:54:19 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8

Please see the Location comes to wrong path Location: https://somedomain.com:443/tcp/

After somedays searching the root cause, finally I can narrow down the issue.
When I use helm chart to deploy traefik, the parameters will become like this

        - --entryPoints.traefik.address=:9000/tcp
        - --entryPoints.web.address=:80/tcp
        - --entryPoints.websecure.address=:443/tcp

I tried to edit the traefik deployment file manually into this

        - --entryPoints.traefik.address=:9000
        - --entryPoints.web.address=:80
        - --entryPoints.websecure.address=:443

And finally, the redirect issue will be fixed

$ curl -I somedomain.com
HTTP/1.1 308 Permanent Redirect
Location: https://somedomain.com/
Date: Fri, 10 Jul 2020 13:01:23 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8

But in the first place, I'm not sure what the additional /tcp do in the --entryPoints parameter. Can we remove it as default?

If yes, I already create #219

Thank you

[akhfa]

Hi @zeroone-shreeram

For your :8443 issue, can you try to add --entrypoints.websecure.address=:443 ?
I don't have this issue yet, so I'm also not sure, but I think explicit websecure.address may solve this issue 🤔

Sources:
https://docs.traefik.io/migration/v1-to-v2/#http-to-https-redirection-is-now-configured-on-routers

[SantoDE]

Hello @akhfa,

I was able to pin down the issue in Traefik itself. I've raised a PR on update to address that behavior. traefik/traefik#7047

[akhmadfld]

Hi @SantoDE,

Thanks a lot for your help. I will wait for the release 😁

[monotek]

@SantoDE

Is this already implemented in the current image 2.2.8?
If so, whats the correct config to enable https redirect for all k8s ingresses?

When i use the v2.3.0-rc3 image the redirect goes to "8443" and not to "8433/tcp" but with port "8443" the redirect still fails.

HTTP/1.1 308 Permanent Redirect
Location: https://grafana.test.net:8443/
Date: Sat, 08 Aug 2020 09:38:43 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8

If i try to set the websecure port to "443" via "--entrypoints.websecure.address=:443" in the helm chart traefik will not start with:

time="2020-08-08T09:23:58Z" level=info msg="Configuration loaded from flags."
2020/08/08 09:23:58 traefik.go:75: command traefik error: error while building entryPoint websecure: error preparing server: error opening listener: listen tcp :443: bind: permission denied

Disabling the security context, by overwriting 'securityContext:' with an empty value "", seems to help with the redirect but the page can not be shown anymore:

curl -I http://grafana.test.net/
HTTP/1.1 308 Permanent Redirect
Location: https://grafana.k8s.uplink23.net/
Date: Sat, 08 Aug 2020 09:48:30 GMT
Content-Length: 18
Content-Type: text/plain; charset=utf-8

curl -I https://grafana.test.net/
curl: (35) OpenSSL SSL_connect: SSL_ERROR_SYSCALL in connection to grafana.k8s.uplink23.net:443 

[monotek]

Got it working now, with 2.3.0-rc3. This is the helm config which works for me:

    additionalArguments:
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entryPoint.to=websecure"

    ports:
      websecure:
        port: 443

    securityContext:
      capabilities: 
        drop: [ALL]
        add: [NET_BIND_SERVICE]
      runAsGroup: 0
      runAsNonRoot: false
      runAsUser: 0

Would be nice this would work with "runAsNonRoot: true" though.

The ingress config of grafana helm chart as example has to look like:

    ingress:
      enabled: true
      annotations:
        kubernetes.io/tls-acme: 'false'
        traefik.ingress.kubernetes.io/router.tls: "true"
      hosts:
        - grafana.test.net
      tls:
        - secretName: le-wildcard-tls
          hosts:
            - grafana.test.net

[SantoDE]

Cool! I'll close that one then.

[monotek]

@SantoDE
Is there any way to do this without the need to use port 443 and the root user?
I don't fully understand why an https redirect, which points to the fqdn, needs to be done internally with port 443?

[viceice]

this is not yet fixed, as the chart is using version 2.2.5 of traefik

https://github.com/containous/traefik-helm-chart/blob/8a64eda117418f9e2775b11a29a720e00cf199f1/traefik/values.yaml#L4

bugfix was release on 2.2.6

ref #226

[monotek]

I've used image 2.3.0-rc3

[viceice]

@monotek sure, but the default image / chart isn't fixed, so one have to override the image tag.

[monotek]

Yes, i know.
I just wanted to back you, that i've got it working with a newer version ;-)

[SantoDE]

There is now a new version of the helm chart, which includes Traefik 2.2.8. Feel free to give it a test ;)

[monotek]

Works with 2.2.8 too. Looking forward to see 2.3.0 final 😎

[lexfrei]

Is there any best practice for HTTP -> HTTPS redirection with this chart?
Looks like this is not enough to redirect to 443 port, but I can't figure out how to do the redirection.

        ports:
          web:
            redirectTo: websecure

[monotek]

I've switched to contour as its not possible to get proper redirect with kubernetes default ingress.
If you do it as described above, you can't use CertManager HTTP challenge, because its redirected to HTTPS too.
I guess you have to use ingressroute crd to get it working but with this you'll loose support for other tools relyin on ingress, like external-dns.

[miend]

I guess you have to use ingressroute crd to get it working but with this you'll loose support for other tools relyin on ingress, like external-dns.

@monotek It's definitely possible to get external-dns working alongside ingressRoute by using an empty ingress. For services I run with ingressRoutes, I run an ingress like this as part of the same release:

---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
  name: myapp-external-name-dns
  annotations:
    kubernetes.io/ingress.class: traefik
spec:
  rules:
    - host: "myapp.example.com"

This will route no traffic, but it will get picked up by external-dns as any normal ingress. It's a straightforward workaround for me.

[monotek]

This is imho only a workaround at best as you need to configure your ingress twice which is a pattern which is predetermined for failure.
Also cert manger http challenge will still fail.

Switched to Contour ingress controller now. Migration was easier as Traefik 1.7 to 2.x for us.
Likely will use istio ingress in 2021.