WebSocket not upgrading when redirected to HTTPS (Traefik 2.2.8 on Kubernetes)

Traefik Traefik v2 (latest)
1

I configured my kubernetes traefik CRD according to what i found here and my present config is looking like that:

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: redirect-scheme-to-https
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: x-forward-header-https
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"



---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ae-frontend-ingressroute
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`app.domain.com) && PathPrefix(`/`)
      middlewares:
        - name: redirect-scheme-to-https
      kind: Rule
      services:
        - name: ae-frontend-svc-in
          port: 8181
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: ae-frontend-ingressroute-https
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`app.domain.com`) && PathPrefix(`/`)
      middlewares:
        - name: x-forward-header-https
        - name: cors
        - name: stripprefix
      kind: Rule
      services:
        - name: ae-frontend-svc-in
          port: 8181
  tls:
    secretName: app-cert

But im still getting such error:

main-4f8115025f867f1bfeef.js:485 Mixed Content: The page at 'https://app.domain.com/' was loaded over HTTPS, but attempted to connect to the insecure WebSocket endpoint 'ws://app.domain.com/service/subscriptions'. This request has been blocked; this endpoint must be available over WSS.

Should i add something more to my configuration? I tested with present versions of Traefik (2.0, 2.1) too but im getting same error.

1 Like
2

Same issue same config, did you find anything?

3

Sorry but no. Started to think problem will be with Haproxy LB on front of kubernetes but couldn't check it for now (it is in production and cant change configuration). That Haproxy have 80 port in HTTP mode (we need to split traffic according to domains) and 443 in tcp mode, i want to check if after changing 80 port to tcp it will start work - it is my last idea as i didn't receive any other solutions or idea with this problem for now here.

Do you have any other LB before your Traefik?

If not it probably wont be problem with HAproxy too on my side but with Traefik itself and we need to wait for someone who will be interested in our issue :slight_smile:

4

Same issue websocket is not working with 2.3, any help from Traefik?

5

Hello @KAnDe
Would you please provide more details and a reproducible use case for the issue you are referring to?
Thank you

6

So, I went with another approach.
I had to install the certificate on the Server as well and activate [ passthrough: true ]. Any other option under tls seems to be useless but it unlocked the issue for now. I'll try to see if I can get any logs or anything from the server, helping me understand why and how I can remove the certificates from the server directly.
I'll keep you all in touch, It seems so neat in traefik that it I feel that it could be a configuration issue on the server/client.

spec:
  entryPoints:
    - my-socket
  routes:
    - match: HostSNI(`mywebsite.com`)
      middlewares:
        - name: socket-wws-redirect
          namespace: myNamespace
      services:
        - name: socket-service
          port: 8080
  tls:
    passthrough: true
    secretName: certificate-ssl-mywebsite
    options:
      name: certificate-ca-tls-options-mywebsite
      namespace: default

and the middleware:

  redirectScheme:
    permanent: true
    port: "8080"
    scheme: wws