I'm running traefik on AWS via kubernetes. It all works with http, but can't get the https and my http=>https redirect configuration.
I have the following .toml file
defaultEntryPoints = ["http", "https"]
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
With the Kubernetes Deployment + Service configurations below.
Kubernetes config files:
apiVersion: extensions/v1beta1
kind: Deployment
metadata:
annotations:
deployment.kubernetes.io/revision: "3"
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"extensions/v1beta1","kind":"Deployment","metadata":{"annotations":{},"labels":{"k8s-app":"traefik-ingress-lb"},"name":"traefik-ingress-controller","namespace":"kube-system"},"spec":{"replicas":1,"selector":{"matchLabels":{"k8s-app":"traefik-ingress-lb"}},"template":{"metadata":{"labels":{"k8s-app":"traefik-ingress-lb","name":"traefik-ingress-lb"}},"spec":{"containers":[{"args":["--api","--kubernetes","--logLevel=INFO"],"image":"traefik","name":"traefik-ingress-lb","ports":[{"containerPort":80,"name":"http"},{"containerPort":8080,"name":"admin"}]}],"serviceAccountName":"traefik-ingress-controller","terminationGracePeriodSeconds":60}}}}
creationTimestamp: 2018-07-18T19:39:53Z
generation: 3
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-controller
namespace: kube-system
resourceVersion: "624437"
selfLink: /apis/extensions/v1beta1/namespaces/kube-system/deployments/traefik-ingress-controller
uid: 58026a2c-8ac2-11e8-bb82-02f2884c3a1c
spec:
replicas: 1
selector:
matchLabels:
k8s-app: traefik-ingress-lb
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
creationTimestamp: null
labels:
k8s-app: traefik-ingress-lb
name: traefik-ingress-lb
spec:
containers:
- args:
- --configFile=/conf/traefik.toml
- --api
- --kubernetes
- --logLevel=INFO
image: traefik
imagePullPolicy: Always
name: traefik-ingress-lb
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 8080
name: admin
protocol: TCP
- containerPort: 443
protocol: TCP
resources: {}
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /conf
name: config
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
serviceAccount: traefik-ingress-controller
serviceAccountName: traefik-ingress-controller
terminationGracePeriodSeconds: 60
volumes:
- configMap:
defaultMode: 420
name: traefik-conf
name: config
status:
availableReplicas: 1
conditions:
- lastTransitionTime: 2018-07-18T19:39:54Z
lastUpdateTime: 2018-07-18T19:39:54Z
message: Deployment has minimum availability.
reason: MinimumReplicasAvailable
status: "True"
type: Available
observedGeneration: 3
readyReplicas: 1
replicas: 1
updatedReplicas: 1
---
apiVersion: v1
kind: Service
metadata:
annotations:
kubectl.kubernetes.io/last-applied-configuration: |
{"apiVersion":"v1","kind":"Service","metadata":{"annotations":{},"name":"traefik-ingress-service","namespace":"kube-system"},"spec":{"ports":[{"name":"web","port":80,"protocol":"TCP"},{"name":"admin","port":8080,"protocol":"TCP"}],"selector":{"k8s-app":"traefik-ingress-lb"},"type":"NodePort"}}
service.beta.kubernetes.io/aws-load-balancer-backend-protocol: http
service.beta.kubernetes.io/aws-load-balancer-ssl-cert: arn:aws:acm:eu-west-1:735079771029:certificate/sfsg
service.beta.kubernetes.io/aws-load-balancer-ssl-ports: "443"
creationTimestamp: 2018-07-18T19:39:54Z
name: traefik-ingress-service
namespace: kube-system
resourceVersion: "619785"
selfLink: /api/v1/namespaces/kube-system/services/traefik-ingress-service
uid: 585294fb-8ac2-11e8-bb82-02f2884c3a1c
spec:
clusterIP: 100.69.33.166
externalTrafficPolicy: Cluster
ports:
- name: web
nodePort: 32734
port: 80
protocol: TCP
targetPort: 80
- name: admin
nodePort: 32566
port: 8080
protocol: TCP
targetPort: 8080
- name: https
nodePort: 32287
port: 443
protocol: TCP
targetPort: 80
selector:
k8s-app: traefik-ingress-lb
sessionAffinity: None
type: LoadBalancer
status:
loadBalancer:
ingress:
- hostname: blablabla.eu-west-1.elb.amazonaws.com
My http is working fine but my https isn't working. I got a time out error. This is very strange. I even add a listener on port 443 on my ELB but still not working. What do you guys think ?
Since you are using entrypoint redirection, Traefik redirects the request to the entrypoint specified (in your case https). Your ELB then listens on https, and passes the request to the http entrypoint on Traefik, which then redirects to https, etc.
It is usually a bad idea to redirect to TLS at any other layer than the layer that terminates TLS. If your ELB is terminating TLS connections, you should configure it to redirect if needed.
Also, since you have all of your traffic http behind the ELB, you can remove the https entrypoints from traefik, as they will not be needed.