-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Redirect all requests on entrypoint, even without frontend #2109
Comments
I think what you want is possible already. See the documentation here. Does this address your need? |
Thanks @timoreimann ; that is precisely what I am doing above. It doesn't work, though, unless a |
@deitch You might be able to create a dummy frontend using, say, the file provider. |
@timoreimann that is what I did in the end: [backends.dummy]
[backends.dummy.servers.server1]
url = "http://localhost:80"
# skipping...
[frontends.dummy]
backend = "dummy"
entrypoints = ["http"]
[frontends.dummy.routes.all]
rule = "PathPrefix:/" Main issues are:
|
I ran into this same problem and fixed it by using the dummy frontend/backend above. I think the dummy frontend/backend requirement should be removed. Until that time, at least the documentation on http://docs.traefik.io/configuration/entrypoints/#redirect-http-to-https should mention the frontend/backend requirement. |
+1 for this request plus updating the docs. It just took me an hour to find out that http://docs.traefik.io/configuration/entrypoints/#redirect-http-to-https:
is exactly not what it's doing (1.4.6) unless that entrypoint also has a frontend assigned. With |
The following should work but for some reason it redirects fine but then 404s on the HTTPS page, if I remove frontend.entryPoints and frontend.redirect it works on both HTTP and HTTPS. If I add https to the frontend.entryPoints it will infinitely redirect. version: "3.1"
services:
api:
image: [radecated]
networks:
- [radecated]
- traefik
deploy:
labels:
- "traefik.port=8000"
- "traefik.domain=[radecated].com"
- "traefik.frontend.rule=Host:[radecated].com"
- "traefik.frontend.entryPoints=http"
- "traefik.frontend.redirect.entryPoint=https"
- "traefik.frontend.passHostHeader=true"
- "traefik.docker.network=traefik-net"
placement:
constraints:
- node.labels.lw.role == web
restart_policy:
condition: on-failure
resources:
limits:
cpus: '0.25'
memory: 50M |
Same problem here. |
same here, maybe I don't know how to use it |
I had the same issue and found out that it works using |
See deitch‘s workaround above- the dummy fe/be fixed it for me. |
The reason why I linked my solution is that I think it's uncomfortable to set this in the entire traefik-config. It's more flexible to have it in our docker-compose file. For example, we avoid old entrys in the traefik configuration when containers were removed. |
@bweston92 @meskis @mariusstaicu @DMW007 @andig Could you open a dedicated issue ? |
Got the same 404 returned after a redirect from http to http.
Not sure if this is linked though. |
@lucj for me it works on https if I remove the redirect rule, is this the case for you? |
Do you mean the "traefik.frontend.headers.SSLRedirect=true" ?
Tried again with 1.5.1 but did not change anything. Still got 404 after
redirection to https.
|
@lucj could you go to the Traefik community Slack |
For all, could stop the "hijacking" of this issue, thanks 🙏 |
@bweston92 @meskis @mariusstaicu @DMW007 @andig the infinite loop is fixed by #2929 |
@andig Edit: the original issue is not closed. |
@ldez so now I can do just this and it will work? [entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entrypoint = "https"
[entryPoints.https]
address = ":443" If so, what released version of traefik supports it? |
According to ed65d00 it should be 1.5.3, however I'm still having to use the dummy workaround with the 1.5.3 docker image. Otherwise http requests end in 404. Shall we open a separate issue for that? |
Dunno. If the issue isn't fixed, then we should leave it open? |
I was wondering if this issue isn't more about your specific redirect rule as @ldez mentioned the hijacking. I'm just using [entryPoints.http.redirect]
entryPoint = "https" Can you confirm that it's not working for you either with 1.5.3? |
@andig I will try it. |
It works only partially. I definitely get the redirect when a frontend exists, using the following config: [entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/tls//my.cert"
keyFile = "/etc/tls/my.key" However, if the frontend does not exist, it still returns a FWIW, I am running it with compose using the following sample compose file, a variant on the compose in the traefik:
image: traefik:1.5.3
command: -c /etc/traefik.toml --logLevel=DEBUG
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/etc/traefik.toml
- $PWD/certs:/etc/tls
whoami1:
image: emilevauge/whoami
labels:
- "traefik.backend=whoami1"
- "traefik.frontend.rule=PathPrefix:/foo"
whoami2:
image: emilevauge/whoami
labels:
- "traefik.backend=whoami2"
- "traefik.frontend.rule=Host:whoami.docker.localhost"
whoami3:
image: emilevauge/whoami
labels:
- "traefik.backend=whoami2"
- "traefik.frontend.rule=Host:whoami.docker.localhost" If I $ curl -i localhost:80/foo/
HTTP/1.1 302 Found
Location: https://localhost:443/foo/
Date: Mon, 05 Mar 2018 16:13:39 GMT
Content-Length: 5
Content-Type: text/plain; charset=utf-8
Found
$ curl -i localhost:80/foo/bar/1
HTTP/1.1 302 Found
Location: https://localhost:443/foo/bar/1
Date: Mon, 05 Mar 2018 16:13:44 GMT
Content-Length: 5
Content-Type: text/plain; charset=utf-8
Found
$ curl -i localhost:80/abc
HTTP/1.1 404 Not Found
Content-Type: text/plain; charset=utf-8
X-Content-Type-Options: nosniff
Date: Mon, 05 Mar 2018 16:13:48 GMT
Content-Length: 19
404 page not found That last one should be a a |
@deitch What happens when you update your
Then run: curl -i whoami.docker.localhost:80/abc My suspicion is the hostname isn't matching your frontend rule:
|
@rms1000watt in my case I'm curling to an existing host, only on HTTP. Unless here is at least one frontend attached to the entrypoint it ends in 404 instead of redirect to https. I can provide the same details as deutch above if it helps. |
@rms1000watt that is the point. I am intentionally [entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https" |
Any update on this? What @deitch seems to be requesting should definitely be implemented. We want a "catch-all" redirect from HTTP -> HTTPS regardless if there's a configured service or not. |
@deitch while playing with https://gist.github.com/dduportal/55fcb9e9d19c8f6694efa044714a04f8 I've realized that I can get the http->https redirect to always work even if not frontend is defined (actually, without any frontend defined). The key point is that you'll need to include http in the default entrypoints if you don't want to create a frontend:
The explanation is in https://docs.traefik.io/configuration/commons/#main-section:
|
Hmm, I didn't think of that (but probably should have). Any downsides? Would it open anything else up that I wouldn't want? |
I tried, still couldn't get it to work: config: defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
minVersion = "VersionTLS12"
cipherSuites = [
"TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
"TLS_RSA_WITH_AES_256_GCM_SHA384"
]
[[entryPoints.https.tls.certificates]]
certFile = "/etc/tls/my.cert"
keyFile = "/etc/tls/my.key" and compose: traefik:
image: traefik:1.5.3
command: -c /etc/traefik.toml --logLevel=DEBUG --docker
ports:
- "80:80"
- "8080:8080"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- $PWD/traefik.toml:/etc/traefik.toml
- $PWD/certs:/etc/tls
whoami1:
image: emilevauge/whoami
labels:
- "traefik.backend=whoami1"
- "traefik.frontend.rule=PathPrefix:/foo"
whoami2:
image: emilevauge/whoami
labels:
- "traefik.backend=whoami2"
- "traefik.frontend.rule=Host:whoami.docker.localhost"
whoami3:
image: emilevauge/whoami
labels:
- "traefik.backend=whoami2"
- "traefik.frontend.rule=Host:whoami.docker.localhost" and the test:
|
@deitch I've tried your setup with 1.6.3. I can repro your results, but I'm not convinced that this is traefik's fault. Try
It seems it has to find any frontend which it can't do unless you supply the hostname? |
Why would I need to supply a hostname? It is an option in the http protocol, not a requirement. In any case, if I define a catch-all frontend it does work. |
Absolutely. I can only guess- but if there is no frontend at all (no dummy and no matching rule of any host) traefik might not do the redirect. Anyway, with matching hostname it's working for me. |
Closed by #4090. |
Do you want to request a feature or report a bug?
Feature
What did you do?
What did you expect to see?
Any request to
http://<host>/*
would be redirected tohttps://<host>/*
What did you see instead?
It only redirects for matching
frontend
s on the entrypoint. Thus, if I have a frontend defined for/foo
but not/bar
, thenhttp://<host/foo
->https://<host>/foo
buthttp://<host>/bar
does not redirect tohttps://<host>/bar
Output of
traefik version
: (What version of Traefik are you using?)1.3.8
Use case
If I want to enforce https across the board, then I would want to:
http
from thedefaultEntryPoints
array.http
gets sent tohttps
. It is not overridable at any pointInfoSec/Compliance teams often insist (rightly) that nothing gets returned from an
http
requests except a302
redirect: not a404
(because nofrontend
defined), nothing.The text was updated successfully, but these errors were encountered: