Frontend passHostHeader config does not work with Backend https url config

[pluque]

Do you want to request a feature or report a bug?

Bug

What did you do?

I have a basic Frontend-Backend config.

My Frontend configuration uses passHostHeader=true configuration.
In the following IIS log from my container

• The first row, is when Traefik is configure with a Backend service url http://
• The second row, is when Traefik is configure with a Backend service url https://

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port c-ip cs(Referer) **cs-host** sc-status sc-substatus
2018-02-09 18:24:33 172.29.246.42 GET /en-CA/Services/TSPrimaryData/GetAirports - 80 172.29.240.1 - **dev.my-business.com** 200 0
2018-02-09 18:29:42 172.29.246.42 GET /en-CA/Services/TSPrimaryData/GetAirports - 80 172.29.240.1 - **172.29.246.42** 200 0

As you can see with the cs-host logged info in bold, the host is passed when Backend is configured in http but not when it`s configured in https

What did you expect to see?

Frontend passHostHeader option work with Backend https url configuration.

What did you see instead?

Output of traefik version: (What version of Traefik are you using?)

(paste your output here)

What is your environment & configuration (arguments, toml, provider, platform, ...)?

# (paste your configuration here)

If applicable, please paste the log output in debug mode (--debug switch)

(paste your output here)

[ldez]

Thanks for your interest in Traefik !

Every question asked in issues means less features 😉.

The issue tracker is for reporting bugs and feature requests only.
For end-user related support questions, refer to one of the following:

• Stack Overflow using the "traefik" tag
• the Traefik community Slack channel

[pluque]

Guys its NOT a question. It`s a BUG. Backend https not working with Frontend passHostHeader. repoen it

[ldez]

@pluque Could you give more information? (logs, TOML, ...)

[pluque]

As I said early, when using https in backend url's configuration, host header doesn't seems to be forward

IIS logs(shrinked)

The first row, is when Traefik is configure with a backend url http://
The second row, is when Traefik is configure with a backend url https://

#Fields: date time s-ip cs-method cs-uri-stem cs-uri-query s-port c-ip cs(Referer) **cs-host** sc-status sc-substatus
2018-02-09 18:24:33 172.29.246.42 GET /en-CA/Services/TSPrimaryData/GetAirports - 80 172.29.240.1 - **dev.my-business.com** 200 0
2018-02-09 18:29:42 172.29.246.42 GET /en-CA/Services/TSPrimaryData/GetAirports - 80 172.29.240.1 - **172.29.246.42** 200 0

config TOML

################################################################
# Global configuration
################################################################

# Enable debug mode
#
# Optional
# Default: false
#
# debug = true

# Log level
#
# Optional
# Default: "ERROR"
# Accepted values, in order of severity: "DEBUG", "INFO", "WARN", "ERROR", "FATAL", "PANIC"
# Messages at and above the selected level will be logged.
#logLevel = "INFO"
#logLevel = "DEBUG"

# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
defaultEntryPoints = ["http", "https"]

# Entrypoints definition
#
# Optional
# Default:
#[entryPoints]
#    [entryPoints.http]
#    address = ":80"
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "w:\\reverse-proxy\\certificates\\star.my-business.com\\star.my-business.com.cer"
      keyFile = "w:\\reverse-proxy\\certificates\\star.my-business.com\\star.my-business.com.pem"
      [[entryPoints.https.tls.certificates]]
      certFile = "w:\\reverse-proxy\\certificates\\star.my-business2.com\\star.my-business2.com.cer"
      keyFile = "w:\\reverse-proxy\\certificates\\star.my-business2.com\\star.my-business2.com.pem"

# Traefik logs
# Enabled by default and log to stdout
#
# Optional
#
# [traefikLog]

# Sets the filepath for the traefik log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath = "log/traefik.log"

# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"

# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
# [accessLog]

# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
# filePath = "/path/to/log/log.txt"

# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
# format = "common"

################################################################
# Web configuration backend
################################################################

# Enable web configuration backend
[web]

# Web administration port
#
# Required
#
address = ":8080"

################################################################
# Docker configuration backend
################################################################

# Enable Docker configuration backend
#[docker]

# Docker server endpoint. Can be a tcp or a unix socket endpoint.
#
# Required
# Default: "unix:///var/run/docker.sock"
#
#endpoint = "tcp://172.29.240.1:2375"

# Default domain used.
# Can be overridden by setting the "traefik.domain" label on a container.
#
# Optional
# Default: ""
#
# domain = "docker.localhost"

# Expose containers by default in traefik
#
# Optional
# Default: true
#
# exposedbydefault = true


[file]
directory = "w:\\reverse-proxy\\running-envi\\"
watch = true

file TOML

[frontends]
    [frontends.dev]
        backend = "dev"
        passHostHeader = true
        [frontends.dev.routes.any]
            rule = "Host:dev.my-business.com"
[backends]
    [backends.dev]
        [backends.dev.servers.1]
        url = "http://172.29.247.59"

[juliens]

Hi @pluque
After some tests, I can see that the passHostHeader works for me even in https.

I don't know where IIS take the host value for the logs, but in your application, you need to use the Host header.
In go source code, you can see 2 differents Host (one taken in the header, and one taken in the real url)

request.Host == "my.passed.Host"
request.URL.Host == "172.17.0.2" // container IP

[pluque]

I'll test it with a custom .net application...

Actually, we are using a .NET thrid party software which validates it's license based on that host header. As the host doesn't seems to be forward, the third party software replies with a http 503.

i'll keep you posted

[viceice]

If i enable https for the backend, traefik will check the certificate for the ip and not the hostname.

The ip is not included, so it will fail with a 500.

Looks like this is related to #4481