jozko/README.md

## README.md

      
    Raw
  

              README.md
            
          
    Traefik as a redirect service only

Because sometimes you really just need to redirect some subdomains/URL to new ones, with full SSL support. And with copy/pastabale examples above it takes less time to get it up and running that would take to start using some external redirect service (and it's not always possible to do so anyway).
Configuration above was compiled from several sources listed in the Links section below. It seems to be working ok with Traefik version 2.5.4. Whoever finds this useful - use it.
Links


https://blog.cubieserver.de/2020/setting-up-traefik-v2-http-to-https-and-www-prefix-redirects/
https://gist.github.com/ubergesundheit/7c9d875befc2d7bfd0bf43d8b3862d85
https://doc.traefik.io/traefik/


## providers.toml
[http]
  [http.routers]
    [http.routers.query]
      entryPoints = ["web", "websecure"]
      rule = "Host(`login.example.com`)"
      middlewares = ["query-redir"]
      service = "noop"
      [http.routers.query.tls]
        certResolver = "le"

    [http.middlewares.query-redir]
      [http.middlewares.query-redir.redirectRegex]
        regex = "https://login.example.com/*"
        replacement = "https://login.betterexample.com/$1"
        permanent = true

    [http.routers.foobar]
      entryPoints = ["web", "websecure"]
      rule = "Host(`foobar.example.com`)"
      middlewares = ["foobar-redir"]
      service = "noop"
      [http.routers.foobar.tls]
        certResolver = "le"

    [http.middlewares.foobar-redir]
      [http.middlewares.foobar-redir.redirectRegex]
        regex = "https://foobar.example.com/*"
        replacement = "https://foobar.example2.com/$1"
        permanent = true

[http.services]
  [http.services.noop.LoadBalancer]
     [[http.services.noop.LoadBalancer.servers]]
        url = ""

## traefik.service
# Adapted from
[Unit]
Description=traefik proxy
After=network-online.target
Wants=network-online.target systemd-networkd-wait-online.service

[Service]
Restart=on-abnormal

; User and group the process will run as.
User=traefik
Group=traefik

; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml

; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
LimitNOFILE=1048576

; Use private /tmp and /var/tmp, which are discarded after traefik stops.
PrivateTmp=true
; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
PrivateDevices=false
; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
ProtectHome=true
; Make /usr, /boot, /etc and possibly some more folders read-only.
ProtectSystem=full
; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
;   This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
ReadWriteDirectories=/etc/traefik/

; The following additional security directives only work with systemd v229 or later.
; They further restrict privileges that can be gained by traefik. Uncomment if you like.
; Note that you may have to add capabilities required by any plugins in use.
CapabilityBoundingSet=CAP_NET_BIND_SERVICE
AmbientCapabilities=CAP_NET_BIND_SERVICE
NoNewPrivileges=true

[Install]
WantedBy=multi-user.target

## traefik.toml
[global]
  checkNewVersion = false
  sendAnonymousUsage = false

[serversTransport]
  insecureSkipVerify = true
  [serversTransport.forwardingTimeouts]
    dialTimeout = 60
    responseHeaderTimeout = 60
    idleConnTimeout = 60

[entryPoints]
  [entryPoints.web]
    address = ":80"
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entryPoint]
          to = "websecure"
          scheme = "https"
          permanent = true
  [entryPoints.websecure]
    address = ":443"

[certificatesResolvers.le.acme]
  email = "acme@test.com"
  storage = "/etc/traefik/acme.json"
  [certificatesResolvers.le.acme.httpChallenge]
    entryPoint = "web"

[log]
  level = "INFO"
  #filePath = "/var/log/traefik/traefik.log"
  [accessLog]
    filePath = "/var/log/traefik/traefik-access.log"

[providers.file]
  directory = "/etc/traefik/providers"
  filename = "providers.toml"
  watch = false
	[http]
	[http.routers]
	[http.routers.query]
	entryPoints = ["web", "websecure"]
	rule = "Host(`login.example.com`)"
	middlewares = ["query-redir"]
	service = "noop"
	[http.routers.query.tls]
	certResolver = "le"

	[http.middlewares.query-redir]
	[http.middlewares.query-redir.redirectRegex]
	regex = "https://login.example.com/*"
	replacement = "https://login.betterexample.com/$1"
	permanent = true

	[http.routers.foobar]
	entryPoints = ["web", "websecure"]
	rule = "Host(`foobar.example.com`)"
	middlewares = ["foobar-redir"]
	service = "noop"
	[http.routers.foobar.tls]
	certResolver = "le"

	[http.middlewares.foobar-redir]
	[http.middlewares.foobar-redir.redirectRegex]
	regex = "https://foobar.example.com/*"
	replacement = "https://foobar.example2.com/$1"
	permanent = true

	[http.services]
	[http.services.noop.LoadBalancer]
	[[http.services.noop.LoadBalancer.servers]]
	url = ""
	# Adapted from
	[Unit]
	Description=traefik proxy
	After=network-online.target
	Wants=network-online.target systemd-networkd-wait-online.service

	[Service]
	Restart=on-abnormal

	; User and group the process will run as.
	User=traefik
	Group=traefik

	; Always set "-root" to something safe in case it gets forgotten in the traefikfile.
	ExecStart=/usr/local/bin/traefik --configfile=/etc/traefik/traefik.toml

	; Limit the number of file descriptors; see `man systemd.exec` for more limit settings.
	LimitNOFILE=1048576

	; Use private /tmp and /var/tmp, which are discarded after traefik stops.
	PrivateTmp=true
	; Use a minimal /dev (May bring additional security if switched to 'true', but it may not work on Raspberry Pi's or other devices, so it has been disabled in this dist.)
	PrivateDevices=false
	; Hide /home, /root, and /run/user. Nobody will steal your SSH-keys.
	ProtectHome=true
	; Make /usr, /boot, /etc and possibly some more folders read-only.
	ProtectSystem=full
	; … except /etc/ssl/traefik, because we want Letsencrypt-certificates there.
	; This merely retains r/w access rights, it does not add any new. Must still be writable on the host!
	ReadWriteDirectories=/etc/traefik/

	; The following additional security directives only work with systemd v229 or later.
	; They further restrict privileges that can be gained by traefik. Uncomment if you like.
	; Note that you may have to add capabilities required by any plugins in use.
	CapabilityBoundingSet=CAP_NET_BIND_SERVICE
	AmbientCapabilities=CAP_NET_BIND_SERVICE
	NoNewPrivileges=true

	[Install]
	WantedBy=multi-user.target
	[global]
	checkNewVersion = false
	sendAnonymousUsage = false

	[serversTransport]
	insecureSkipVerify = true
	[serversTransport.forwardingTimeouts]
	dialTimeout = 60
	responseHeaderTimeout = 60
	idleConnTimeout = 60

	[entryPoints]
	[entryPoints.web]
	address = ":80"
	[entryPoints.web.http]
	[entryPoints.web.http.redirections]
	[entryPoints.web.http.redirections.entryPoint]
	to = "websecure"
	scheme = "https"
	permanent = true
	[entryPoints.websecure]
	address = ":443"

	[certificatesResolvers.le.acme]
	email = "acme@test.com"
	storage = "/etc/traefik/acme.json"
	[certificatesResolvers.le.acme.httpChallenge]
	entryPoint = "web"

	[log]
	level = "INFO"
	#filePath = "/var/log/traefik/traefik.log"
	[accessLog]
	filePath = "/var/log/traefik/traefik-access.log"

	[providers.file]
	directory = "/etc/traefik/providers"
	filename = "providers.toml"
	watch = false