I'm running traefik on an AWS instance with a rancher back-end. I am terminating SSL at the AWS load balancer, and am communicating on port 80 with the instance, which forwards the :80 traffic to the traefik container.
So the Load balancer currently has:
https:443 ==> http:80
http:80 ==> http:80
That means, if you type https://example.com, you get SSL, and if you type http://example.com, you just get an ordinary http connection.
The desire is to have an auto redirect via http 302 -- it would redirect http://example.com to https://example.com.
So far what I've unsuccessfully tried is the following:
** AWS Load balancer**
https:443 => http:80
http:80 => http:81
traefik.toml
------------
[entryPoints]
[entryPoints.http]
address = ":81"
[entryPoints.http.redirect]
regex = "^http://example.com/(.*)"
replacement = "https://example.com/$1"
address = ":80"
docker-compose.yml
------------------
API-Proxy:
container_name: api-proxy
image: traefik
volumes:
- "/var/run/docker.sock:/var/run/docker.sock"
- "$PWD/traefik.toml:/etc/traefik/traefik.toml"
command: "--web --rancher --docker.domain=rancher.localhost --logLevel=DEBUG"
cpu_shares: 128
restart: always
ports:
- 80:80/tcp
- 81:81/tcp
- 8100:8080/tcp
When I try accessing via port 80, there's a timeout. Traefik logs don't seem to be helpful.
Is this a silly approach? Or is it better to terminate SSL at the traefic container using Let's encrypt?
Try something like this in your Traefik config. Then forward both ports 443 and 80 on the LB to port 80 on Traefik.
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
I do this in Kubernetes on AWS currently. It's a little fiddly to get just right, but it is totally possible.
First you need to make sure that your ELB is listening for HTTP (not HTTPS) on port 80 and for HTTPS on port 443. If you have the ELB listening for HTTPS on port 80, you'll get very strange behavior by clients. Check that first. Note: this is the default behavior if you have deployed Traefik using Helm.
Use aws elb describe-load-balancers to print out all of your ELBs. You'll have to find the ELB in there (I don't know how to tell you which one it is) and look in the LoadBalancerDescriptions[].ListenerDescriptions[].Listener.Protocol and InstanceProtocol to make sure that they are HTTPS and HTTP, respectively.
Second, this is all you need in your config.toml:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
regex = "^http://(.*)"
replacement = "https://$1"
[entryPoints.httpn]
address = ":8880"
compress = true
Explanation:
Listen on port 80
Set up a permanent redirect for any traffic on port 80 to port 8880
Listen on port 8880 with HTTP and enable gzip compression
The ELB should have port 80 mapped to port 80 and port 443 mapped to port 8880. Now all HTTP traffic will be automatically redirected (use curl -v -L http://example.com to test) to HTTPS and terminated at the ELB and forwarded as HTTP to Traefik.
I am still looking for a good way to specify the protocols for the ELB listeners on deploy but I haven't come up with a good solution other than manually changing them via the AWS console after I deploy Traefik.
Related
I am considering switching to traefik to control my docker containers and everything looks great so far. One thing I could not find in the docs is how to expose several HTTPS ports.
The documentation mentions that the exposed port is defined as:
[entryPoints]
[entryPoints.https]
address = ":443"
What should I put there to tell traefik that I would like to listen for HTTPS traffic on 443 and 50443?
Just define another entrypoint following the same scheme but name it differently e.g. [entrypoints.verysecure]. Remember that every TLS entrypoint needs a cert/key configuration
I'm configuring https on standard Alpine Linux/3.9.0, running PHP/7.2.14 and lighttpd/1.4.52 (ssl). I have my domain name up (I'll call it "mydomain.com") and I've gotten the ssl files mydomain.crt, mydomain.p7b, mydomain.ca-bundle, mydomain.key, and mydomain.pem.
-When I search with http at mydomain.com:443, I access my website.
-When I search with https at mydomain.com, the connection times out.
I have configured /etc/lighttpd/lighttpd.conf incorrectly, and I think it has something to do with my ".crt" file. I have searched around StackOverflow and by googling it, but the two most helpful sources were:
https://tecadmin.net/configure-ssl-in-lighttpd-server/
https://www.digicert.com/ssl-certificate-installation-lighttpd.htm
This was added/modified in the default configuration file /etc/lighttpd/lighttpd.conf:
server.port = 443
$SERVER["socket"] == ":443" {
ssl.engine = "enable"
ssl.pemfile = "/etc/lighttpd/mydomain.pem"
ssl.ca-file = "/etc/lighttpd/mydomain.crt"
server.name = "mydomain"
server.document-root = "/var/www/localhost/htdocs"
}
I have also tried replacing
ssl.ca-file = "/etc/lighttpd/mydomain.crt"
with
ssl.ca-file = "/etc/lighttpd/mydomain.ca-bundle"
I was expecting /etc/lighttpd/mydomain.crt to work, but I can only access port 443 through http (successful connection), not through https (connection time out). I have one .crt file (mydomain.crt). Am I supposed to modify the file mydomain.ca-bundle as a .crt file?
Okay, so the perpetrator was this line right here:
server.port = 443
Me being a novice at this, I didn't realize you should have port 80 AND port 443 open to enable https. lighttpd uses 80 by default, so I just had to comment out the line:
# server.port = 443
Note for future readers: thus it follows, that for https, ports 80 and 443 must also be ported forward on your router.
In front of my web servers and Docker applications I'm running Traefik to handle load balancing and reverse-proxy. In this specific case Magento 2 is running on another host in the same private network as the Traefik host.
Traefik: 192.168.1.30
Magento: 192.168.1.224
Traffic is coming into the firewall on port 80/443 and forwarded to Traefik which forwards the request based on the domain name (in this case exampleshop.com).
My Traefik configuration looks like this:
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[backends]
[backends.backend-exampleshop]
[backends.backend-exampleshop.servers.server1]
url = "http://192.168.1.224:80
passHostHeader = true
[frontends]
[frontends.exampleshop]
backend = "backend-exampleshop"
[frontends.exampleshop.routes.hostname]
rule = "Host:exampleshop.com"
For regular websites above configuration always worked as expected (a working HTTPS connection with valid Let's Encrypt cert) but in this Magento 2 case it results in:
ERR_TOO_MANY_REDIRECTS
Therefore I'm unable to reach both my homepage as well as my admin page. Looking at the Database records I've configured both my unsecure as secure URL as https://exampleshop.com to avoid redirect errors.
Apache is listening fine on port 80, and when contacted directly (by changing my hosts file) the page gets displayed just fine over HTTP.
What am I missing here?
Command out below code solved this case OR
Enable ACME on your Traefik and switch SSL mode on Cloudflare to Full (if enabled)
[entryPoints.http.redirect]
entryPoint = "https"
I suppose that 192.168.1.224 is the IP (local) where Traefik is installed.
entryPoints.http : address = ":80" == address = "0.0.0.0:80"
https//exampleshop.com
entryPoints.https (because https == port 443)
frontends.example1 (because rule = "Host:exampleshop.com")
backend-example1: server = "http://192.168.1.224:80"
entryPoints.http because :80 == http://192.168.1.224:80
redirection to entryPoints.https
etc
Try to change the port of your local application.
Actually, the config was completely valid but Cloudflare's crypto/SSL settings were set to Flexible instead of Full; causing a loop.
I run into this as well, but I've found I have to add this:
ingress.kubernetes.io/ssl-proxy-headers: "X-Forwarded-Proto: https"
In our kubernetes ingress manifests and it fixes it.
I have a very cheap VPS with the IP 123.123.123.123 which listens on these ports: 7000, 7001, ... 7020. Apache listens on port 7010. Then I can access my website with http://123.123.123.123:7010.
As this is a shared IP, I cannot listen on port 80 myself with my VPS: I only have access to 7000 ... 7020.
I have registered a domain mydomain1.com by a domain provider and I'm using their nameservers.
How to set up the DNS records such that any user going on http://www.mydomain1.com will be transparantly directed to my website, with Apache ? (the browser will probably default to port 80, is that right?)
I initially thought about such a DNS record:
Name TTL Type Priority Content
*.mydomain1.com 3600 A 0 123.123.123.123
but then, I think I would have to access the website with http://www.mydomain1.com:7010 (which is not nice) and not http://www.mydomain1.com (which would be better).
Unfortunately you cannot specify ports on DNS records. The only way to make it work as you expect is to have a reverse proxy running elsewhere (nginx, haproxy), listening on port 80, and then forward traffic to your server.
Some useful information about HTTP proxying with nginx:
What is a reverse proxy?
Configuring nginx as a reverse proxy for apache
I am using aws instance, apache server and tomcat7 under apache.
I am able to hit my site with "http": http://www.example.com and everything is normal.
But when i am trying to hit the using "https" : https://www.example.com, i get Linux AMI test page. Is there any configuration i need to change in the httpd config file?
I have also tried : netstat -ptnl | grep ":443" and the response is :
tcp 0 0 :::443 :::* LISTEN 11722/httpd
My ELB listeners :
So, where am i going wrong?
From the ELB configuration you have shared it looks like you have configured ssl on the ELB.
Unless you intend to do ssl termination on the apache server, the issue should be re-solved by routing traffic from elb to instance over http.
After the reconfiguration, the config should look like
HTTPS 443 HTTP 80 Change <cert> ACM change
The ssl cert will be used for encrypting the req/response from clients to the ELB. From ELB to instance, the communication will be over http.