Hej everyone. My traefik setup has been up and running for a few months now. I love it, a bit scary to switch at first, but I encourage you to look at, if you haven't. Middelwares are amazing: I mostly use it for CrowdSec and authentication. Theres two things I could use some feedback, though.
- I mostly use docker labels to setup routers in traefik. Some people only define on router (HTTP) and some both (+ HTTPS) and I did the latter.
- labels
- traefik.enable=true
- traefik.http.routers.jellyfin.entrypoints=web
- traefik.http.routers.jellyfin.rule=Host(`jellyfin.local.domain.de`)
- traefik.http.middlewares.jellyfin-https-redirect.redirectscheme.scheme=https
- traefik.http.routers.jellyfin.middlewares=jellyfin-https-redirect
- traefik.http.routers.jellyfin-secure.entrypoints=websecure
- traefik.http.routers.jellyfin-secure.rule=Host(`jellyfin.local.domain.de`)
- traefik.http.routers.jellyfin-secure.middlewares=local-whitelist@file,default-headers@file
- traefik.http.routers.jellyfin-secure.tls=true
- traefik.http.routers.jellyfin-secure.service=jellyfin
- traefik.http.services.jellyfin.loadbalancer.server.port=8096
- traefik.docker.network=media
So, I don't want to serve HTTP at all, all will be redirected to HTTPS anyway. What I don't know is, if I can skip the HTTP part. Must I define the web entrypoint in order for redirect to work? Or can I define it in the traefik.yml as I did below?
entryPoints:
ping:
address: ':88'
web:
address: ":80"
http:
redirections:
entryPoint:
to: websecure
scheme: https
websecure:
address: ":443"
- I use homepage (from benphelps) as my dashboard and noticed, that when I refresh the page, all those widgets take a long time to load. They did not do that, when I connecte homepage to those services directly using IP:PORT. Now I use URLs provided by traefik, and it's slow. It's not really a problem, but I wonder, if I made a mistake somewhere. I'm still a beginner when it comes to this, so any pointers in the right direction are apprecciated. Thank you =)
Exactly, I should have said what would the server do when clients try to connect via http:// with and without the HSTS header but I see what you mean now. Thanks for the explanation!
One more thing, to make sure everything is clear: the HSTS header only matters over TLS. Servers are not supposed to give it over plain connections (could be faked) and browsers must ignore it if it's not TLS.