Traefik dashboard screenshot
%author% via %publisher%
Home / Traefik v2: How to configure HTTPS redirection and Let’s Encrypt
Self Hosting

Traefik v2: How to configure HTTPS redirection and Let’s Encrypt

This article shows how to configure HTTPS redirection and certificate challenge in Traefik. This has been a problem in my set-up for some time and took multiple attempts to finally get working.

I think the main difference that finally helped me get it working is upgrading to Traefik 2.2.1 and switching over to dnschallenge from httpChallenge. If your http entrypoint is configured to redirect automatically then this will cause issues with Let’s encrypt and solving the httpChallenge. (The challenge itself will be redirected and fail.)

The following configuration assumes a web entry point for HTTP traffic, as well as a websecure entrypoint for HTTPS traffic.

Solution 1: Working solution for HTTP redirection


Advertisement Begins

Advertisement End


Initially, I had configured a httpchallenge and set up the redirection using the <a href="https://doc.traefik.io/traefik/middlewares/redirectscheme/" target="_blank" rel="noreferrer noopener nofollow">redirectScheme </a>middleware linked to the container via Docker labels. Generating SSL certificates requires additional labels to link the certificate resolver to the HTTPS router. (this will make sense later). All this works, but it means you have to create two routers per container:

  • Router 1: For HTTPS traffic using websecure entrypoint, with the linked certificate resolver and;
  • Router 2: For handling HTTP traffic on the web entrypoint and with the linked redirect middleware.

Folder Structure

file/
    dynamic_conf.yml
traefik.yaml
docker-compose.yaml
acme.json
traefik.log
# traefik.yaml

certificatesResolvers:

  myhttpchallenge:
    acme:
      email: "your@email.com"
      storage: "/acme.json"
      httpChallenge:
        entryPoint: web
# labels in MyApp's docker-compose.yaml file

labels:
    - "traefik.enable=true"
    - "traefik.http.routers.MyAppsRouter.rule=Host(`myapp.example.com`)"
    - "traefik.http.routers.MyAppsRouter.entrypoints=websecure"
    - "traefik.http.routers.MyAppsRouter.tls.certresolver=myhttpchallenge"
    - "traefik.http.routers.MyAppsRouter-insecure.rule=Host(`myapp.example.com`)"
    - "traefik.http.routers.MyAppsRouter-insecure.entrypoints=web"
    - "traefik.http.routers.MyAppsRouter-insecure.middlewares=redirecthttps"

Note that separate routers are required to configure everything we need. As you can see there are a lot of labels and this is just for one Docker container. It would be preferable to define all this in the traefik configuration itself and use lightweight references in container labels instead.


Kitchen Multi-Timer Pro

Now you’re cooking

Multi Timer Pro is your ultimate meal prep companion, keeping track of multiple cooking times and making adjustments on the fly. Give it a try today and become a better home cook!

Get it on Google Play


Solution 2: Simplified HTTP Redirect in Traefik v2

Traefik dashboard screenshot
Traefik dashboard screenshot showing the created entry point, HTTP router and service

We can simplify this as follows:

  1. Rather than define the redirect on the docker container, define it on the web entrypoint instead (Redirection Traefik Docs)
  2. Move the certificate resolver to the websecure entry point definition (TLS Traefik Docs)
  3. Replace HTTP Challenge with DNS Challenge

It is necessary to use DNS challenge because the redirect on our HTTP endpoint will interfere with the HTTP challenge. This is something I did not know how to fix before.

# dynamic_conf.yaml

http:
  middlewares:
    redirecthttps:
      redirectScheme:
        scheme: "https"
        permanent: true
# traefik.yaml

providers:
  docker:
    exposedByDefault: false
    network: public
  file:
    directory: /file
    watch: true

entryPoints:
  web:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  websecure:
    address: ":443"
    forwardedHeaders:
      insecure: true
    http:
      tls:
        certResolver: route53challenge

certificatesResolvers:
  route53challenge:
    acme:
      email: "your@email.com"
      storage: "/acme.json"
      dnsChallenge:
        provider: route53 # note that you have to supply environment variables to the traefik docker container for the DNS challenge providers

api:
  insecure: true

log:
  level: INFO

Advertisement Begins

Advertisement End


With all this configured within Traefik itself, we can greatly simplify the labels on our containers. We no longer have to add the web entry point to our containers because the entry point itself will upgrade the request to HTTPS. At that point, the websecure entry point takes over.

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.testtest.rule=Host(`test.example.com`)"
      - "traefik.http.routers.testtest.entrypoints=websecure"

MY MISSION

This blog started nearly 10 years ago to help me document my technical adventures in home automation and various side projects. Since then, my audience has grown significantly thanks to readers like you.

While blog content can be incredibly valuable to visitors, it’s difficult for bloggers to capture any of that value – and we still have to work for a living too. There are many ways to support my efforts should you choose to do so:

Consider joining my newsletter or shouting a coffee to help with research, drafting, crafting and publishing of new content or the costs of web hosting.

It would mean the world if gave my Android App a go or left a 5-star review on Google Play. You may also participate in feature voting to shape the apps future.

Alternatively, leave the gift of feedback, visit my Etsy Store or share a post you liked with someone who may be interested. All helps spread the word.

BTC network: 32jWFfkMQQ6o4dJMpiWVdZzSwjRsSUMCk6

Conclusion

This has been a problem in my set-up for a long time. All of my previous attempts to configure this have failed for one reason or another, and I have heard from other users experiencing similar problems. Traefik is very well documented which just added to my frustration with the system. To recap, upgrading to v2.2.1 and switching over to the DNS challenge has been critical in implementing HTTPS redirects for me.

Let me know in the comments if there are any issues with what I compiled in this article. Feel free to test my set-up by following this HTTP link.

Continue your adventure here

Leave a Comment

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More

DON’T MISS OUT!
Subscribe To Newsletter
Be the first to get latest updates and exclusive content straight to your email inbox.
Stay Updated
Give it a try, you can unsubscribe anytime.
close-link