5

I have a Kubernetes setup where Traefik is my ingress controller. Traefik is behind an AWS ELB which is listening on an SSL port (TCP:443) so that it can terminate the SSL using an ACM certificate. It then load balances you to traefik (in k8s) which listens on TCP:80. We require this set up as we whitelist on a per-ingress basis in traefik and use the proxy protocol header to do this (we tried using x-fowarded-for whitelisting on http load balancer but this was easy to bypass).

This is working for HTTPS traffic coming in but I would like to set up http redirection to https. So far I have set up a TCP:80 listener on the load balancer forwarding to TCP:81. I've also set up my Traefik entrypoints using a configuration file:

defaultEntryPoints = ["http"]
debug = false
logLevel = "INFO"

# Do not verify backend certificates (use https backends)
InsecureSkipVerify = true

[entryPoints]
  [entryPoints.http]
    address = ":80"
    compress = true
    [entryPoints.http.proxyProtocol]
      insecure = true
      trustedIPs = ["10.0.0.0/8"]
  [entryPoints.redirect]
    address = ":81"
    compress = true
    [entryPoints.http.redirect]
      entryPoint = "http"

However this gives a

400 Bad Request

when I try and access any service on :80.

I assume this is because for this method to work traefik itself needs to have an SSL listener, rather than the ELB.

Is there a way this can be set up so that all traffic that hits traefik on :81 is rewritten to https?

thewire247
  • 795
  • 1
  • 9
  • 24
  • You should use the ELB created by traefik, and configure the SSL Termination at the traefik deployment, and configure load balancer L7 in the traefik configuration. If you configure the L7 on your custom ALB , traefik cannot read the route configuration – Fauzan Feb 09 '20 at 20:33

0 Answers0