Redirect http to https on a per container (per frontend) basis

[morvans]

It would be great if the ability to automatically redirect http to https could be enabled on a per-container basis using a label.

AFAICT, I don't think there's an issue and/or PR open for that.

[migueleliasweb]

I was searching exactly for that. Didn't find that too !

[migueleliasweb]

Context for the answer:

• In the company I work in we use Marathon as the Traefik provider
• We are migrating all web apps to be "reversed proxied" by Traefik
• All our web apps use only http or https. Not both at the same time.

I had no luck finding how to make this work. (I think it's not implemented yet, at least for the Marathon provider)

This is what I tried:

[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
      entryPoint = "https"
  [entryPoints.https]
  address = ":443"

If I configure Traefik like this, all my http traffic gets redirected to https and that I cannot allow because behind my reverse proxy there's multiple domains and some does not have a SSL linked to it.

Some apps use only HTTPS but we could not let Traefik respond a 404 if the user tries to access via HTTP because of some legacy integrations. Currently our nginx servers redirect all HTTP requests to HTTPS.

What I was forced to do to make it work was creating a simple redirect app on Marathon that reads and environment variable and if the requested host meets the criteria, the nginx returns a location header for the https url.

It's a workaround but until the team implements a per-frontend redirect there's no way to make this work directly from Traefik.... =/

[emilevauge]

You can use Marathon labels to connect apps to a specific entrypoint, http or https.

[migueleliasweb]

Hey @emilevauge I already do this but sadly when I do so the other protocol responds 404 and this breaks some older integrations that still references the old http routes...

Maybe I was not clear about what I did.

The main app (the one that runs the app server) has a "traefik.frontend.entryPoints=https" Label on Marathon, so it only recieves HTTPS requests but I have another app (the nginx redirector) that I can configure through env vars to respond a location from HTTP requests to HTTPS.

If I didn't have the redirector, my app would repond a 404 on HTTPS. That's the caveat.

[morvans]

On 09/08/2016 19:03, Emile Vauge wrote:

You can use Marathon labels to connect apps to a specific entrypoint,
http or https.

And is there any trick like this for Docker backend ?

[emilevauge]

@morvans

And is there any trick like this for Docker backend ?

Yep: http://docs.traefik.io/toml/#docker-backend

[emilevauge]

@migueleliasweb, I don't get what you are trying to do exactly here ^^
If you have:

[entryPoints.http.redirect]
      entryPoint = "https"

on your http entrypoint, it will redirect everything on your https, if your frontends are connected to both entrypoints http and https. Otherwise, if a frontend is only connected to http, the redirection will also be made to https, but as the frontend isn't connected to https, you will get a 404.

If you want to have some apps on http and others on https, you should configure traefik with:

[entryPoints]
  [entryPoints.http]
  address = ":80"
  [entryPoints.https]
  address = ":443"

and use labels to wire your frontends to the desired entrypoint. But you will not get http->https redirection in that case.

[migueleliasweb]

Hey @emilevauge ! Thanks for being so active !

When you said:

and use labels to wire your frontends to the desired entrypoint. But you will not get http->https redirection in that case.

That's exactly my case. My Traefik serves 3 types of web applications:

• Some are just HTTP (https requests could recieve 404, no problem)
• Some are just HTTPS (http requests...well you got it)
• Some (that's the tricky one) needs to be only HTTPS but the HTTP interface should redirect the requests to the relavite HTTPS urls.

It's all because of the last scenario...

If I wire the last app type to both HTTP and HTTPS, I get some problems due to some legacy users being able to access the app through non secure connections and possibly exposing sensitive data.

On the other hand ff I wire the last app only to HTTPS I get a 404 on HTTP requests (as i mentioned earlier...and that's a huge problem to the company because we need those users).

That's why I had to invent a way to cover this use case by creating a nginx container that redirect all incoming requests from HTTP to HTTPS. Example:

• The app only listens to HTTPS with "traefik.frontend.entryPoints=https" (Which OK but we have to deal with the non secure requests too).
• The nginx app listens ONLY to HTTP and returns header locations to the HTTPS domain (and uses the same traefik labels on marathon to configure itself as being the HTTP listener for that Host)

Well I think that's it. =]

EDIT: If there was a way to each frontend have a HTTP and HTTPS independent configurable entrypoint I would use it, but since I didn't found one I had to come up with something =P

[morvans]

As the OP, I would like to be a little more specific about my use case. Maybe we need to move some concerns to another issue.
I host several application (containers) on the same Docker host.
The goal is to deploy all application on both http & https but enable the transparent redirection only on a subset of it.
The reason is that some legacy app really wants to manage this redirection or need to be able to serve certain requests on plain HTTP. Also, transparently redirecting sometimes breaks some clients which won't follow 30x codes.
As far as I know, I can't do it (event with labels) for now.
I thought about having 2 pair of endpoints (one pair which redirects and one which do not) and wire my app on one or another accordingly, but it has major drawbacks : I'm forced to allocate x2 more IP address to my hosts (to bind endpoints on them) and I'm forced to configure DNS of the apps differently even if they're all on the same host.
Hope it's a little bit clear here. I think it's a little different from @migueleliasweb use cases.

[migueleliasweb]

@morvans Your use case and mine are very similar, what differs is the way we solved this issue.

Either way If we could have http to https redirect per frontend both cases would be resolved.

[mcapuccini]

@emilevauge I have the same use case as @migueleliasweb, it would be very convenient to have a label e.g. "traefik.http.redirect=https", in order to redirect http requests to https.

[scher200]

+1 very convenient

[mcapuccini]

@emilevauge @scher200 I have to say that running everything on HTTPS it is not too bad after all. There will be some services that don't need encryption over HTTPS, but at least for my use case, it turned out not being such a big deal.

[dky]

+1 on label for http => https support.

[emilevauge]

@mcapuccini I think this is the simplest solution :)
Let's go with this new label traefik.http.redirect=https!

[msuntharesan]

Any chance this makes it into v1.2?

[RobertFach]

Hi,
i have the exact same use cases as described by @migueleliasweb . I was looking at the docker interface and have seen that it's not yet implemented. Do you need any help in getting that feature ready? I would really love to see this...

Thx,

[4F2E4A2E]

Any status on traefik.http.redirect ?

[SvenAbels]

+1 from me. Would be great to use such a label as this is a nice feature and the only important one that is not already covered by the docker labels.

[tobiashinz]

Will this be available in the near future? The label sounds exactly like what I'd need.

[naftalivanderloon]

+1

[thotyl]

+1

[tcolgate]

We also need this.
Would it be possible to only redirect if no backend is configured for the frontend perhaps?

[Geek2France]

+1

label traefik.http.redirect=https should be very useful !
I have the same need as migueleliasweb.

[ldez]

We understand the importance of the subject.
We will try to work on it as soon as possible.
You're welcome to submit a PR if we don't already created one.

Remember the gentle way to participate:

• add a "reaction" on the first message of the issue.
• add more useful and detailed information on the subject.
• solve the issue by making a PR.

[SantoDE]

Hey all,

please have a look at #2133 :)