traefik: Wrong behaviour of HTTP -> HTTPS redirect with PathPrefixStrip annotation

Do you want to request a feature or report a bug?

bug

What did you do?

I’m using traefik as a kubernetes ingress controller. HTTPS is enforced by default so all the HTTP requests respond with 302 -> HTTPS. All works fine except one case: when I annotate a service with traefik.frontend.rule.type: PathPrefixStrip, the path gets lost during the redirect.

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: test
  annotations:
    traefik.frontend.rule.type: PathPrefixStrip
spec:
  rules:
  - host: example.com
    http:
      paths:
      - path: /path-prefix-strip-service/
        backend:
          serviceName: my-service
          servicePort: http

What did you expect to see?

url entered 302 to
http://example.com/ https://example.com/
http://example.com/path-prefix-strip-service/ https://example.com/path-prefix-strip-service/
http://example.com/any-other-path/ https://example.com/any-other-path/

What did you see instead?

url entered 302 to
http://example.com/ https://example.com/
http://example.com/path-prefix-strip-service/ https://example.com/ ⚠️
http://example.com/any-other-path/ https://example.com/any-other-path/

Output of traefik version: (What version of Traefik are you using?)

1.3.5

I was also able to reproduce this on one more pretty different cluster with Traefik 1.3.4.

What is your environment & configuration (arguments, toml, provider, platform, …)?

Official helm chart, latest version.

About this issue

  • Original URL
  • State: closed
  • Created 7 years ago
  • Reactions: 25
  • Comments: 20 (9 by maintainers)

Commits related to this issue

Most upvoted comments

Hello @dpavanelli,

I investigated a little and found the problem. It’s due to the workflow. Indeed the PathPrefixStrip middleware is called before the Redirect one that’s why the problem appears.

I have to find a solution which has to be more generic as possible and wich will not introduce regression (of course). I’ll do this ASAP but, for now, it’s difficult to give you a deadline…

WIP 😉

+16
nmengin on Jan 22, 2018

I ran into this problem with 1.5.0. I worked around the issue by setting the using HTTPS as the main entry point, then adding File frontend for the HTTP entry point, that way the PathPrefixStrip does not apply on the HTTP entry point.

This is an example:

# HTTP to HTTPS config
defaultEntryPoints = ["https"]
[file]
[backends]
  [backends.http-only]
[frontends]
  [frontends.http-only]
  entrypoints = ["http"]
  backend = "http-only"
+10
Miouge1 on Jan 29, 2018

Closed by #3631.

+4
traefiker on Jul 31, 2018

I have the same problem in v 1.4.0

defaultEntryPoints = ["http", "https"]
[entryPoints]
  [entryPoints.http]
  address = ":80"
    [entryPoints.http.redirect]
    entryPoint = "https"
  [entryPoints.https]
  address = ":443"
    [entryPoints.https.tls]
    ...

apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  name: cheeses
  annotations:
    traefik.frontend.rule.type: PathPrefixStrip
spec:
  rules:
  - host: dev.our-domain.io
    http:
      paths:
      - path: /stilton
        backend:
          serviceName: stilton
          servicePort: http
      - path: /cheddar
        backend:
          serviceName: cheddar
          servicePort: http
      - path: /wensleydale
        backend:
          serviceName: wensleydale
          servicePort: http
+4
1ambda on Oct 30, 2017

@Miouge1 your solution works like a magic. Suppose this bug will be fixed and no-one will spend hours trying to find it like me 😦 !

@jbdoumenjou Any idea when this can be fixed?

+3
stepan-romankov on Mar 22, 2018

Hi @nmengin. Is there any news about this issue?

+3
dpavanelli on Jan 19, 2018

Thanks for your reply @ldez. I understand that traefik is a non-profit opensource project and I really appreciate your team’s hard work on it. I just wanted someone else in the community to check if my and @ArcticDolphin’s observations are valid to make sure it’s not just an issue of us doing something wrong.

I’d be happy to try fixing the bug myself, but unfortunately I have zero experience in go, so this does not sound doable. I’m trying to help by keeping traefik version in its official helm chart up to date, but understand that it’s a very modest contribution compared to what you guys do here :–)

Not sure this issue is the same as #1272. The problem mentioned there concerns the behaviour of the containrs behind traefik, but here the thing is fully internal. A redirect from http to https is done based on the config and I believe that there’s just some path trimming going on in the wrong place. However, I can’t even find where exactly the problem is in the code (although I tried).

Thanks for the time that you put into traefik (especially on weekends) 😉

+2
kachkaev on Aug 30, 2017

same issue in 1.5.1

+1
cdyue on Feb 7, 2018

Hello @nmengin, I have been debugging the same bug, but with AddPrefix (#2024). I’m not familiar enough with the design of Traefik, so it’s hard for me to propose such a big change, but I will be glad to help you with this fix. Let me know if I can be of an assistance

+1
schoren on Jan 26, 2018

@kachkaev We are a very small team, we have ~280 open issues :

  • 15 kind/bug/confirmed
  • ~50 kind/bug/possible
  • ~30 status/0-needs-triage

We also add new features, answer to support questions and more.

Even if I confirm, this bug will not be fixed like that.

This project is open source, anyone can participate by opening a PR.

Seems to be a duplicate of #1272

+1
ldez on Aug 26, 2017
Read more comments on GitHub
← traefik: Wildcard domain certificate generation with route 53 fails.
traefik: Wrong HTTPS redirect when also using AddPrefix →