Skip to content

Instantly share code, notes, and snippets.

@jozko
Last active November 17, 2021 08:07
Show Gist options
  • Save jozko/e09892382136d070d1027c46ea758352 to your computer and use it in GitHub Desktop.
Save jozko/e09892382136d070d1027c46ea758352 to your computer and use it in GitHub Desktop.
Traefik redirect only configuration

Traefik as a redirect service only

Because sometimes you really just need to redirect some subdomains/URL to new ones, with full SSL support. And with copy/pastabale examples above it takes less time to get it up and running that would take to start using some external redirect service (and it's not always possible to do so anyway).

Configuration above was compiled from several sources listed in the Links section below. It seems to be working ok with Traefik version 2.5.4. Whoever finds this useful - use it.

Links

[http]
[http.routers]
[http.routers.query]
entryPoints = ["web", "websecure"]
rule = "Host(`login.example.com`)"
middlewares = ["query-redir"]
service = "noop"
[http.routers.query.tls]
certResolver = "le"
[http.middlewares.query-redir]
[http.middlewares.query-redir.redirectRegex]
regex = "https://login.example.com/*"
replacement = "https://login.betterexample.com/$1"
permanent = true
[http.routers.foobar]
entryPoints = ["web", "websecure"]
rule = "Host(`foobar.example.com`)"
middlewares = ["foobar-redir"]
service = "noop"
[http.routers.foobar.tls]
certResolver = "le"
[http.middlewares.foobar-redir]
[http.middlewares.foobar-redir.redirectRegex]
regex = "https://foobar.example.com/*"
replacement = "https://foobar.example2.com/$1"
permanent = true
[http.services]
[http.services.noop.LoadBalancer]
[[http.services.noop.LoadBalancer.servers]]
url = ""
# Adapted from
[Unit]
Description=traefik proxy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service
[Service]
Restart=on-abnormal
; User and group the process will run as.
User=traefik
Group=traefik
; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml
; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576
; Use private /tmp and /var/tmp, which are discarded after traefik stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/traefik/
; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by traefik. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true
[Install]
WantedBy=multi-user.target
[global]
checkNewVersion = false
sendAnonymousUsage = false
[serversTransport]
insecureSkipVerify = true
[serversTransport.forwardingTimeouts]
dialTimeout = 60
responseHeaderTimeout = 60
idleConnTimeout = 60
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.web.http]
[entryPoints.web.http.redirections]
[entryPoints.web.http.redirections.entryPoint]
to = "websecure"
scheme = "https"
permanent = true
[entryPoints.websecure]
address = ":443"
[certificatesResolvers.le.acme]
email = "acme@test.com"
storage = "/etc/traefik/acme.json"
[certificatesResolvers.le.acme.httpChallenge]
entryPoint = "web"
[log]
level = "INFO"
#filePath = "/var/log/traefik/traefik.log"
[accessLog]
filePath = "/var/log/traefik/traefik-access.log"
[providers.file]
directory = "/etc/traefik/providers"
filename = "providers.toml"
watch = false
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment