Hello
On my side I defined a router on the traefik container itself, attached to entry point "web", catching all hosts and redirecting to https.
And then I only define TLS router attached only to "websecure" entry point on the services themselves.
This way, only one router listen on "web" entry point, and it redirect everything on https. And the services only listen on "websecure" entry point.
Downsides I see for now:
- As I have a catch all on http, I'm not sure I could easily expose something else on http if needed
- when requesting a specific host which is not defined, you get an SSL error instead of standard 404 default backend
With the following example, when you go to http://localhost, you're redirected to https.
docker-compose example:
version: "3.3"
services:
traefik:
image: "traefik:v2.0.0-alpha8-alpine"
labels:
- "traefik.enable=true"
- "traefik.http.routers.http-catchall.rule=hostregexp(`{host:[a-z-.]+}`)"
- "traefik.http.routers.http-catchall.entrypoints=web"
- "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
- "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
ports:
- "80:80"
- "443:443"
- "8080:8080"
volumes:
- "./traefik.toml:/etc/traefik.toml"
- "/var/run/docker.sock:/var/run/docker.sock:ro"
whoami:
image: containous/whoami
expose:
- "80"
labels:
- "traefik.enable=true"
- "traefik.http.routers.whoami.rule=Host(`localhost`)"
- "traefik.http.routers.whoami.entrypoints=websecure"
- "traefik.http.routers.whoami.tls=true"
traefik.toml:
[global]
sendAnonymousUsage = true
[providers.docker]
exposedByDefault = false
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
Not sure it's the best way to do this, but it seems to work.