Traefik v2: 404 while routing HTTP traffic globally to HTTPS

荒凉一梦 提交于 2020-07-20 10:34:00

问题


I have the problem that I can route HTTPS traffic but I can not globally redirect the HTTP traffic to HTTPS. In my case I only want HTTPS traffic, so that I want to redirect all the incoming traffic.

Currently I get an 404 error while I try to serve my URLs over HTTP. I already enabled DEBUG logs in Treafik, but I can not see any problems or unnormal stuff in the logs.

Additionally I saw a pretty similar topic here on Stackoverflow, but we found out, that his error was not the same to mine: How to redirect http to https with Traefik 2.0 and Docker Compose labels?

The following setup is based on the blog entry here: https://blog.containo.us/traefik-2-0-docker-101-fc2893944b9d

My setup

I configured Traefik in my swarm like this:

global:
  checkNewVersion: false
  sendAnonymousUsage: false
api:
  dashboard: true
entryPoints:
  web:
    address: :80
  websecure:
    address: :443
providers:
  providersThrottleDuration: 2s
docker:
  watch: true
  endpoint: unix:///var/run/docker.sock
  swarmMode: true
  swarmModeRefreshSeconds: 15s
  exposedByDefault: false
  network: webgateway
log:
  level: DEBUG
accessLog: {}
certificatesResolvers:
  default:
    acme:
    email: {email}
    storage: /etc/traefik/acme/acme.json
    httpChallenge:
      entryPoint: web

And started Traefik with the following docker-compose file

version: '3'

services:
proxy:
    image: traefik:latest
    ports:
    - "80:80"
    - "443:443"
    volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - /data/docker_data/traefik/traefik-2.yml:/etc/traefik/traefik.yml
    - /data/docker_data/traefik/acme-2.json:/etc/traefik/acme/acme.json
    labels:
    # redirect
    - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
    - "traefik.http.routers.redirs.rule=hostregexp(`{host:.+}`)"
    - "traefik.http.routers.redirs.entrypoints=web"
    - "traefik.http.routers.redirs.middlewares=redirect-to-https"

My services are configured with the following labels:

traefik.http.routers.myapp.rule=Host(`myapp.ch`)
traefik.http.routers.myapp.service=myapp
traefik.http.routers.myapp.entrypoints=websecure
# I don't think that the following one is required here...
# traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
traefik.http.routers.myapp.tls.certresolver=default
traefik.http.services.myapp.loadbalancer.server.port=3000
traefik.http.routers.myapp.tls=true
traefik.enable=true

Any ideas why this is not working?


回答1:


You don't need to configure the Traefik service itself. On Traefik you only need to have entrypoints to :443 (websecure) and :80 (web)

Because Traefik only acts as entryPoint and will not do the redirect, the middleware on the target service will do that.

Now configure your target service as the following:

version: '2'
services:
  mywebserver:
    image: 'httpd:alpine'
    container_name: mywebserver
    labels:
      - traefik.enable=true
      - traefik.http.middlewares.mywebserver-redirect-websecure.redirectscheme.scheme=https
      - traefik.http.routers.mywebserver-web.middlewares=mywebserver-redirect-websecure
      - traefik.http.routers.mywebserver-web.rule=Host(`sub.domain.com`)
      - traefik.http.routers.mywebserver-web.entrypoints=web
      - traefik.http.routers.mywebserver-websecure.rule=Host(`sub.domain.com`)
      - traefik.http.routers.mywebserver-websecure.tls.certresolver=mytlschallenge
      - traefik.http.routers.mywebserver-websecure.tls=true
      - traefik.http.routers.mywebserver-websecure.entrypoints=websecure
      # if you have multiple ports exposed on the service, specify port in the websecure service
      - traefik.http.services.mywebserver-websecure.loadbalancer.server.port=9000

So basically the flow goes like this:

Request: http://sub.domain.com:80 --> traefik (service) --> mywebserver-web (router, http rule) --> mywebserver-redirect-websecure (middleware, redirect to https) --> mywebserver-websecure (router, https rule) --> mywebserver (service)




回答2:


This is for those who are trying Global HTTP to HTTPS redirection on Traefik 2. Some of you might be getting 404 on the http endpoints. After literal hours spending on the different forums. This works for me. This applies for people who want to use pre-signed ssl certificates as well.

As most of us are using config provided in the traefik blogs and many dont contain the command section of traefik container where we declared for security purpose

"--providers.docker.exposedbydefault=false"

This prevents the global https redirector to work if we dont give

"traefik.enable=true"

here is the full file

version: "3.8"
services:
  traefik:
    image: "traefik:v2.2.1"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--providers.docker.watch=true"
      - "--providers.file.directory=/conf/"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - somenetwork
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
      - ./certs:/certs
      - ./conf:/conf
    labels:
      # this is needed as we did the --providers.docker.exposedbydefault=false
      - "traefik.enable=true"
      # middleware redirect
      - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
      # global redirect to https
      - "traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)"
      - "traefik.http.routers.http-catchall.entrypoints=web"
      - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  whoami:
    image: "containous/whoami"
    container_name: "simple-service"
    networks:
      - somenetwork
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami-secure.entrypoints=websecure"
      - "traefik.http.routers.whoami-secure.tls=true"
      - "traefik.http.routers.whoami-secure.rule=Host(`test.traefik.localhost`)"

I am also adding the certificates.toml inside conf directory. If you are working on localhost then you can add this using mkcert openssl etc. For production you need to need to get this from certificate providers. And you need to add the certificates in the certs folder.

[[tls.certificates]] #first certificate
   certFile = "/certs/_wildcard.traefik.localhost.pem"
   keyFile = "/certs/_wildcard.traefik.localhost-key.pem"

And of course you can use lets encrypt. There are a lot of blogs on that topic.

Hope this saves your times. :)




回答3:


I answered the same question here -> https://stackoverflow.com/a/61902804/7141682

as of v2.2 it is possible now to make a global redirect.

--entrypoints.web.address=:80
--entrypoints.web.http.redirections.entryPoint.to=websecure
--entrypoints.web.http.redirections.entryPoint.scheme=https
--entrypoints.web.http.redirections.entrypoint.permanent=true  # not always needed 
--entrypoints.websecure.address=:443

Hope that helps ;o)



来源:https://stackoverflow.com/questions/58666711/traefik-v2-404-while-routing-http-traffic-globally-to-https

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!