Wrong behaviour of HTTP -> HTTPS redirect with PathPrefixStrip annotation #1957
Comments
ldez
added
area/provider/k8s/ingress
area/rules
kind/bug/possible
|
I am also experiencing this behaviour on version 1.3.5. |
|
Could anyone else confirm the bug please? Would be great to see the fix in a patch release or in 1.4. This bug does not allow for keeping multiple apps on the same domain in production because the customers do not land where there should if they type a url without https. |
|
@kachkaev We are a very small team, we have ~280 open issues :
We also add new features, answer to support questions and more. Even if I confirm, this bug will not be fixed like that. This project is open source, anyone can participate by opening a PR. Seems to be a duplicate of #1272 |
|
Thanks for your reply @ldez. I understand that traefik is a non-profit opensource project and I really appreciate your team's hard work on it. I just wanted someone else in the community to check if my and @Arcticdolphin's observations are valid to make sure it's not just an issue of us doing something wrong. I'd be happy to try fixing the bug myself, but unfortunately I have zero experience in go, so this does not sound doable. I'm trying to help by keeping traefik version in its official helm chart up to date, but understand that it's a very modest contribution compared to what you guys do here :–) Not sure this issue is the same as #1272. The problem mentioned there concerns the behaviour of the containrs behind traefik, but here the thing is fully internal. A redirect from http to https is done based on the config and I believe that there's just some path trimming going on in the wrong place. However, I can't even find where exactly the problem is in the code (although I tried). Thanks for the time that you put into traefik (especially on weekends) 😉 |
|
I have the same problem in v 1.4.0 defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
...apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: cheeses
annotations:
traefik.frontend.rule.type: PathPrefixStrip
spec:
rules:
- host: dev.our-domain.io
http:
paths:
- path: /stilton
backend:
serviceName: stilton
servicePort: http
- path: /cheddar
backend:
serviceName: cheddar
servicePort: http
- path: /wensleydale
backend:
serviceName: wensleydale
servicePort: http |
|
Seeing the same behavior in 1.4.1 as well |
|
Still observing this issue in |
|
I have the same problem on Docker Image version |
|
Hi @nmengin. Is there any news about this issue? |
|
Hello @dpavanelli, I investigated a little and found the problem. I have to find a solution which has to be more generic as possible and wich will not introduce regression (of course). WIP 😉 |
ldez
added
priority/P2
|
I ran into this problem with 1.5.0. I worked around the issue by setting the using HTTPS as the main entry point, then adding File frontend for the HTTP entry point, that way the PathPrefixStrip does not apply on the HTTP entry point. This is an example: # HTTP to HTTPS config
defaultEntryPoints = ["https"]
[file]
[backends]
[backends.http-only]
[frontends]
[frontends.http-only]
entrypoints = ["http"]
backend = "http-only" |
|
same issue in |
|
@Miouge1 your solution works like a magic. Suppose this bug will be fixed and no-one will spend hours trying to find it like me :( ! @jbdoumenjou Any idea when this can be fixed? |
|
@Miouge1 many thanks for sharing a workaround! Do you know if it can be crafted just by using traefik command line options? I'm starting traefik without any tomls like this in one of my environments: docker run \
--detach \
--publish 80:80 \
--publish 443:443 \
--publish 48080:48080 \
--mount type=bind,source=/var/run/docker.sock,target=/var/run/docker.sock \
--network traefik \
--name traefik \
--restart always \
--volume /etc/traefik/acme:/etc/traefik/acme \
traefik:v1.5-alpine \
--acme=true \
--acme.acmelogging \
--acme.email=mail@example.com \
--acme.entrypoint=https \
--acme.httpChallenge=true \
--acme.httpChallenge.entryPoint=http \
--acme.onhostrule=true \
--acme.storage=/etc/traefik/acme/acme.json \
--docker \
--docker.watch \
--docker.exposedbydefault=false \
--defaultEntryPoints=http,https \
--entryPoints="Name:http Address::80 Redirect.EntryPoint:https" \
--entryPoints="Name:https Address::443 TLS" \
--web \
--web.address=:48080 \
--web.readonly=true \
--web.statistics=true \
--web.statistics.recenterrors=200Curious to know if I can replace these two like with something that would apply a workaround. No luck after about an hour of trying 😅 |
|
@kachkaev it's not possible to set frontends and backends via CLI arguments, so a config file is needed. |
|
Same problem here. Don't ask me why, but if you explicitly put port 80 on the frontend, it works, like magic. |
|
aha, same issue here :/ |
|
My workaround is to have all my real endpoints do ie, in compose using a docker swarm: |
|
Closed by #3631. |
As outlined in this (traefik/traefik#1957) issue SSL redirection with PathPrefixStrip does not work really well. A solution was provided in this (traefik/traefik#3631) PR, released in 1.7, but it didn't really solve the issue. In fact, there were several subsequent issues opened (traefik/traefik#3999, traefik/traefik#3876) but they got closed. Another issue was opened in the Traefik repo: traefik/traefik#4085 Until then this workaround provides the same functionality.
As outlined in this (traefik/traefik#1957) issue SSL redirection with PathPrefixStrip does not work really well. A solution was provided in this (traefik/traefik#3631) PR, released in 1.7, but it didn't really solve the issue. In fact, there were several subsequent issues opened (traefik/traefik#3999, traefik/traefik#3876) but they got closed. Another issue was opened in the Traefik repo: traefik/traefik#4085 Until then this workaround provides the same functionality.
Do you want to request a feature or report a bug?
bug
What did you do?
I'm using traefik as a kubernetes ingress controller. HTTPS is enforced by default so all the HTTP requests respond with 302 -> HTTPS. All works fine except one case: when I annotate a service with
traefik.frontend.rule.type: PathPrefixStrip, the path gets lost during the redirect.What did you expect to see?
What did you see instead?
Output of
traefik version: (What version of Traefik are you using?)I was also able to reproduce this on one more pretty different cluster with Traefik
1.3.4.What is your environment & configuration (arguments, toml, provider, platform, ...)?
Official helm chart, latest version.
The text was updated successfully, but these errors were encountered: