dockerdocker-composehttp-redirectelastic-load-balancertraefik

HTTPS-Redirect with Traefik behind Aws Loadbalancer


I'm trying to redirect all incoming Traefik from http to https, for a web application which gets served out of a docker container with a custom port.

If I build this docker compose file, and scale the application everything works as expected. I'm able to request http and https of the application, but I try to accomplish that only https get served and http gets redirected to https.

Since I use a Docker-Compose file, I don't have a Traefik.toml, and try to accomplish this without one.

Docker Compose:

traefik:
  image: traefik:latest
  command:
   - "--api"
   - "--docker"
   - "--docker.domain=example.com"
   - "--logLevel=DEBUG"
   - "--docker.watch"
  labels:
    - "traefik.enable=true"
  ports:
    - "80:80"
    - "8080:8080"
    - "443:443"
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock
    - /dev/null:/traefik.toml

application:
  image: application
  command: web
  tty: false
  stdin_open: true
  restart: always
  expose:
    - "8081"
  labels:
    - "traefik.backend=application"
    - "traefik.frontend.rule=HostRegexp:{subdomain:[a-z]+}.example.com"
    - "traefik.frontend.priority=1"
    - "traefik.enable=true"
  volumes:
    - /var/run/docker.sock:/var/run/docker.sock

I try'd different variations on the application container, such as:

- "traefik.frontend.entryPoints=http,https"
- "traefik.frontend.redirect.entryPoint=https"
- "traefik.frontend.headers.SSLRedirect=true"

But the maximum I could accomplish was a to many redirects response, with the SSLRedirect label, and without I get the following from traefik and neither http or https requests get forwarded correctly.

 level=error msg="Recovered from panic in http handler: runtime error: invalid memory address or nil pointer dereference"

Can anyone push me in the right direction?

Thanks in advance ;)

I run under the following Settings

 user:~$ docker --version
 Docker version 1.13.1, build 092cba3

 user:~$ docker-compose --version
 docker-compose version 1.8.0

Docker PS Response

IMAGE           COMMAND                 ... PORTS                                                              NAMES
application     "dotnet Web..."         ... 8081/tcp                                                           components_application_1
traefik:latest  "/traefik --api --..."  ... 0.0.0.0:80->80/tcp, 0.0.0.0:443->443/tcp, 0.0.0.0:8080->8080/tcp   components_traefik_1

Infrasturcture Setup

 aws-elb => vpc => ec2...ecn 
                   traefik per instance, 
                   n applications per instance

Solution

  • This only works until traefik v1.7, after v2.* you need another config setup, which i haven't figured out yet

    After a deeper research, i found the solution myself.

    The problem was a missing label on the application Container, after i added

    - "traefik.frontend.headers.SSLProxyHeaders=X-Forwarded-Proto: https"
    - "traefik.frontend.headers.SSLRedirect=true"
    

    on my application containers it worked like a charm with a clear 301 redirect.

    Why the need of the header, in default the aws-elb takes a https request and forwards it with a HTTP(80) to the connected Instance, during this process the elb adds the X-Forwarded-Proto: https Header to the request.

    Since traefik doesn't know that it is running behind an elb it does the redirect over and over again. But the Header stops this behavior.