This article shows how to configure HTTPS redirection and certificate challenge in Traefik. This has been a problem in my set-up for some time and took multiple attempts to finally get working.
I think the main difference that finally helped me get it working is upgrading to Traefik 2.2.1 and switching over to dnschallenge from httpChallenge. If your http entrypoint is configured to redirect automatically then this will cause issues with Let’s encrypt and solving the httpChallenge. (The challenge itself will be redirected and fail.)
The following configuration assumes a web entry point for HTTP traffic, as well as a websecure entrypoint for HTTPS traffic.
Solution 1: Working solution for HTTP redirection
Advertisement Begins
Advertisement End
Initially, I had configured a httpchallenge and set up the redirection using the <a href="https://doc.traefik.io/traefik/middlewares/redirectscheme/" target="_blank" rel="noreferrer noopener nofollow">redirectScheme </a>middleware linked to the container via Docker labels. Generating SSL certificates requires additional labels to link the certificate resolver to the HTTPS router. (this will make sense later). All this works, but it means you have to create two routers per container:
- Router 1: For HTTPS traffic using
websecureentrypoint, with the linked certificate resolver and; - Router 2: For handling HTTP traffic on the
webentrypoint and with the linked redirect middleware.
Folder Structure
file/
dynamic_conf.yml
traefik.yaml
docker-compose.yaml
acme.json
traefik.log
# traefik.yaml
certificatesResolvers:
myhttpchallenge:
acme:
email: "your@email.com"
storage: "/acme.json"
httpChallenge:
entryPoint: web# labels in MyApp's docker-compose.yaml file
labels:
- "traefik.enable=true"
- "traefik.http.routers.MyAppsRouter.rule=Host(`myapp.example.com`)"
- "traefik.http.routers.MyAppsRouter.entrypoints=websecure"
- "traefik.http.routers.MyAppsRouter.tls.certresolver=myhttpchallenge"
- "traefik.http.routers.MyAppsRouter-insecure.rule=Host(`myapp.example.com`)"
- "traefik.http.routers.MyAppsRouter-insecure.entrypoints=web"
- "traefik.http.routers.MyAppsRouter-insecure.middlewares=redirecthttps"
Note that separate routers are required to configure everything we need. As you can see there are a lot of labels and this is just for one Docker container. It would be preferable to define all this in the traefik configuration itself and use lightweight references in container labels instead.
Kitchen Multi-Timer Pro
Now you’re cooking
Multi Timer Pro is your ultimate meal prep companion, keeping track of multiple cooking times and making adjustments on the fly. Give it a try today and become a better home cook!
Solution 2: Simplified HTTP Redirect in Traefik v2
We can simplify this as follows:
- Rather than define the redirect on the docker container, define it on the
webentrypoint instead (Redirection Traefik Docs) - Move the certificate resolver to the
websecureentry point definition (TLS Traefik Docs) - Replace HTTP Challenge with DNS Challenge
It is necessary to use DNS challenge because the redirect on our HTTP endpoint will interfere with the HTTP challenge. This is something I did not know how to fix before.
# dynamic_conf.yaml
http:
middlewares:
redirecthttps:
redirectScheme:
scheme: "https"
permanent: true# traefik.yaml
providers:
docker:
exposedByDefault: false
network: public
file:
directory: /file
watch: true
entryPoints:
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
permanent: true
websecure:
address: ":443"
forwardedHeaders:
insecure: true
http:
tls:
certResolver: route53challenge
certificatesResolvers:
route53challenge:
acme:
email: "your@email.com"
storage: "/acme.json"
dnsChallenge:
provider: route53 # note that you have to supply environment variables to the traefik docker container for the DNS challenge providers
api:
insecure: true
log:
level: INFO
Advertisement Begins
Advertisement End
With all this configured within Traefik itself, we can greatly simplify the labels on our containers. We no longer have to add the web entry point to our containers because the entry point itself will upgrade the request to HTTPS. At that point, the websecure entry point takes over.
labels:
- "traefik.enable=true"
- "traefik.http.routers.testtest.rule=Host(`test.example.com`)"
- "traefik.http.routers.testtest.entrypoints=websecure"MY MISSION
This blog started nearly 10 years ago to help me document my technical adventures in home automation and various side projects. Since then, my audience has grown significantly thanks to readers like you.
While blog content can be incredibly valuable to visitors, it’s difficult for bloggers to capture any of that value – and we still have to work for a living too. There are many ways to support my efforts should you choose to do so:
Consider joining my newsletter or shouting a coffee to help with research, drafting, crafting and publishing of new content or the costs of web hosting.
It would mean the world if gave my Android App a go or left a 5-star review on Google Play. You may also participate in feature voting to shape the apps future.
Alternatively, leave the gift of feedback, visit my Etsy Store or share a post you liked with someone who may be interested. All helps spread the word.
BTC network: 32jWFfkMQQ6o4dJMpiWVdZzSwjRsSUMCk6
Conclusion
This has been a problem in my set-up for a long time. All of my previous attempts to configure this have failed for one reason or another, and I have heard from other users experiencing similar problems. Traefik is very well documented which just added to my frustration with the system. To recap, upgrading to v2.2.1 and switching over to the DNS challenge has been critical in implementing HTTPS redirects for me.
Let me know in the comments if there are any issues with what I compiled in this article. Feel free to test my set-up by following this HTTP link.