[2.2.0-rc2] kubernetes/ingress: bare host failed match on HTTP

[kardianos]

Bug

What did you do?

Configure HTTP and HTTPS endpoints with middleware chain to redirect http to https.

What did you expect to see?

Redirect HTTP to HTTPS in all situations, including no or bare "/" path.

What did you see instead?

Without any path "" or maybe "/", the route "GET http://sub.domain" would fail to redirect to "https://sub.domain". It would just stop with a 404.

Output of traefik version: (What version of Traefik are you using?)

Version:      2.2.0-rc2
Codename:     chevrotin
Go version:   go1.14
Built:        2020-03-11T17:42:16Z
OS/Arch:      linux/amd64

What is your environment & configuration (arguments, toml, provider, platform, ...)?

Static configuration through environment for endpoints and Kubernets Ingress and Kubernetes CRD setup. Kubernetes configuration for dynamic configuration for routes.

Kubernetes Ingress and KubernetesCRD, configured outside of the cluster.

If applicable, please paste the log output in DEBUG level (--log.level=DEBUG switch)

Nothing applicable in DEBUG level log.

---

I'm using the newly (re-)introduced Kubernetes Ingress (not IngressRoute) for my main configuration for various reasons. I'm also using a Middleware chain that is redirecting http to https and non-www to www sub-domains (plus header addition, etc). Appears to work well.

When testing certain bare HTTP sub-domains, I found traefik would return a 404 before it even encountered the middleware. Testing was complicated due to HSTS header. But for example I found: GET http://qa.mydomain.com -> 404 (middleware not encountered) while http://qa.mydomain/anything -> 200 using middleware. I was able to use the jaeger integration to determine if the middle was was encountered at all.

I manually resolved this by creating Kubernetes IngressRoutes that bound directly on the HTTP endpoint only, used the same middleware, and only matched on the host, no Path or PathPrefix. This corrected the behavior to the desired behavior.

I suspect this has to do with how a Kubernetes Ingress object is internally represented + how HTTP (non-TLS) traffic paths are handled. Traefik creates to rules for Kubernetes Ingress objects: Host and PathPrefix. I suspect that internally the Request.URL.Path is either "/" or "" (empty) for this request either incoming or after processing. Then the created PathPrefix(/) rule doesn't match. This only appears to happen on HTTP, not HTTPS.

[ldez]

https://community.containo.us/t/http-entrypoint-404s-with-2-2-0-rc2/4894

[traefiker]

Closed by #6504.

[travisghansen]

@ldez I just got around to trying this out and the experience is still less than ideal :( now none of my ingresses have tls on them by default.

[ldez]

https://docs.traefik.io/v2.2/migration/v2/#kubernetes-ingress

[travisghansen]

@ldez ah, that helps. I'll do some more testing for a bit.

As an FYI the cli params did not work per the example in the doc:

• --entrypoints.websecure.http.tls={} = failure
• --entrypoints.websecure.http.tls=true = success

[ldez]

--entrypoints.websecure.http.tls={} is not a valid flag and this is not documented like that

You have to click on the CLI tabs: https://docs.traefik.io/v2.2/migration/v2/#kubernetes-ingress

• https://docs.traefik.io/v2.2/routing/entrypoints/#tls
• https://docs.traefik.io/v2.2/reference/static-configuration/cli/

If you want to talk more, could you go to the forum, thank you.

[travisghansen]

@ldez ah, thanks yet again! Overall this is looking much better (on rc4 atm)! I'll dig through several more scenarios and get even deeper into testing now that the basics are out of the way.