Traefik redirect issues

[Migsi]

Hello,

today I successfully managed to setup traefik as an ingress provider for all apps I've installed on my TrueNAS box. So far so good, I disliked the fact, that PiHole is only reachable, when calling it using the correct path (<domain>/admin). I tried to add a redirectRegex middleware to pihole, redirecting calls to the plain domain to <domain>/admin, but that results in a weird redirection loop when accessing it on a browser.

Show : Redirect Loop

Show : Redirect Header

Apparently traefik responds with an invalid location, containing the port appended to the path. Even though the loop must come from an unexpected match in the regex, it puzzles me why the internal service port of pihole is appended to the path at all. The regex looks as follows:

Show : Regex config

Did I just overlook something obvious or might there be a bug within the redirectRegex function?

 

[sretalla]

I guess you're not being specific enough with your regex... you probably need to have enough in there to tell it to only act on the complete URL and no more.

And, it would seem your regex needs to catch the port too, or you get that appending happening to the things before it.

 

[Migsi]

I guess you're not being specific enough with your regex... you probably need to have enough in there to tell it to only act on the complete URL and no more.

And, it would seem your regex needs to catch the port too, or you get that appending happening to the things before it.

That does not explain where the port comes from in the first place. My request didn't contain a port. The regex doesn't contain a port. Its the actual port on which that service would be available when using "simple" networking (I'm not, I use ClusterIP, its still available as I would use "simple") but anyway. Ingress otherwise works, when I access the service using the right path no such weird loop occurs. This has to do with redirectRegex itself.

 

[truecharts]

We heavily advice to only use Traefik with port 80 and 443.
It's part of, almost, all our guides for a reason.

A lot of middlewares and redirects freak out with different ports... including... endless redirects

 

[Migsi]

I think you still do not get my issue. I am never specifying any port anywhere. I simply configured the pihole app to use insgress over traefik, which is working fine so far. The issue is that pihole does not like it to be called on its root path "/" but requires one to access the path "/admin" explicitly. To circumvent this limitation, I tried both (exclusively, not at the same time): setting "/admin" as prefix for the service within the pihole app network config and using redirectRegex to automatically redirect from "/" to "/admin", of which neither lead to success. As you can see on my screenshots, somehow, and I have no clue how or why, traefik responds with a redirect created by redirectRegex (when accessing "<domain>/") which points to "<domain>/admin:9089/" which does not make any sense at all. I never specified this port myself, it is the default port the pihole management interface is exposed (from its container/pod). Traefik is not supposed to add this port anywhere to its responses, especially when it was never asked to do so. Also pihole would never be reachable this way. Besides this obvious issue (to me), there is an other obvious thing that I dont get: the port is added to the path, not the domain, which results in an invalid URL. So even if for whatever reason I wanted redirectRegex to add the cluster internal port of that service to this redirect, it would produce nonsensical/invalid results.

I hope this makes my issue more clear.

We heavily advice to only use Traefik with port 80 and 443.
It's part of, almost, all our guides for a reason.

A lot of middlewares and redirects freak out with different ports... including... endless redirects

Traefik is running on port 80 and 443 and it is properly making all my apps accessible, even pihole (only when accessing it using <domain>/admin, not when accessing <domain>/), so no weird messing around on this side. I expect my pihole to be reachable on default http(s) ports, I just want to be able to access it by domain only without explicitly specifying a path.

 

[truecharts]

I think you still do not get my issue. I am never specifying any port anywhere. I simply configured the pihole app to use insgress over traefik, which is working fine so far. The issue is that pihole does not like it to be called on its root path "/" but requires one to access the path "/admin" explicitly. To circumvent this limitation, I tried both (exclusively, not at the same time): setting "/admin" as prefix for the service within the pihole app network config and using redirectRegex to automatically redirect from "/" to "/admin", of which neither lead to success. As you can see on my screenshots, somehow, and I have no clue how or why, traefik responds with a redirect created by redirectRegex (when accessing "<domain>/") which points to "<domain>/admin:9089/" which does not make any sense at all. I never specified this port myself, it is the default port the pihole management interface is exposed (from its container/pod). Traefik is not supposed to add this port anywhere to its responses, especially when it was never asked to do so. Also pihole would never be reachable this way. Besides this obvious issue (to me), there is an other obvious thing that I dont get: the port is added to the path, not the domain, which results in an invalid URL. So even if for whatever reason I wanted redirectRegex to add the cluster internal port of that service to this redirect, it would produce nonsensical/invalid results.

I hope this makes my issue more clear.


Traefik is running on port 80 and 443 and it is properly making all my apps accessible, even pihole (only when accessing it using <domain>/admin, not when accessing <domain>/), so no weird messing around on this side. I expect my pihole to be reachable on default http(s) ports, I just want to be able to access it by domain only without explicitly specifying a path.

We're just here to provide basic advice, if you have any issues byond that you would need to file a support ticket with us on Discord and follow the procedure there...

 

[sretalla]

I think you're going to need to look at the last section of this:

Traefik v1 (not in Docker) - Pi-hole documentation

docs.pi-hole.net

it seems for what you want to work, you need to edit the lightppd config on the pi-hole.

 

[Migsi]

We're just here to provide basic advice, if you have any issues byond that you would need to file a support ticket with us on Discord and follow the procedure there...

I'd love to do so, I joined your discord, accepted the terms and checked the checkmark, but I was not given any further access to your channels :/ Might there be some issues with the bot/whatever should provide me access? I did this ~2 weeks ago. Anyway, I'll retry and if I succeed, I'll ask over there.

I think you're going to need to look at the last section of this:

Traefik v1 (not in Docker) - Pi-hole documentation

docs.pi-hole.net

it seems for what you want to work, you need to edit the lightppd config on the pi-hole.

That seems to be exactly what I want to do. But shouldn't this be possible to be done by traefik/some middleware somehow instead of modifying the internal lighthttpd config (which gets probably overwritten on pod updates)?

 

[sretalla]

That seems to be exactly what I want to do. But shouldn't this be possible to be done by traefik/some middleware somehow instead of modifying the internal lighthttpd config (which gets probably overwritten on pod updates)?

No. The app itself will fight against reverse proxies like Traefik to rewrite the URL unless it's configured to play ball.

Containers are designed to be ephemeral, so you're right that any change you make to the container directly will be killed on rebuild/redeploy, but that's why you define persistent storage for some parts of the container.

I see that the TrueCharts app doesn't catch that required config file (/etc/lighttpd/external.conf) in the config storage mount so you would have to add one in the Storage and Persistence section.

After clicking Add, you would choose the hostPath type, then select where on your host to put it, then the mountPath in the container where it will appear and the type "file", since we're not wanting to catch the whole of /etc/

You would then be able to edit that file from the host and it will be kept between container versions/deployments

 

[Migsi]

No. The app itself will fight against reverse proxies like Traefik to rewrite the URL unless it's configured to play ball.

Containers are designed to be ephemeral, so you're right that any change you make to the container directly will be killed on rebuild/redeploy, but that's why you define persistent storage for some parts of the container.

I see that the TrueCharts app doesn't catch that required config file (/etc/lighttpd/external.conf) in the config storage mount so you would have to add one in the Storage and Persistence section.

View attachment 55391

After clicking Add, you would choose the hostPath type, then select where on your host to put it, then the mountPath in the container where it will appear and the type "file", since we're not wanting to catch the whole of /etc/

You would then be able to edit that file from the host and it will be kept between container versions/deployments

Thank you very much, this approach seems to be the best solution for my problem so far! I'll try this tommorow.

 

[truecharts]

I'd love to do so, I joined your discord, accepted the terms and checked the checkmark, but I was not given any further access to your channels :/ Might there be some issues with the bot/whatever should provide me access? I did this ~2 weeks ago. Anyway, I'll retry and if I succeed, I'll ask over there.

You can always throw Ornias, Stavros or MintyCrackers a PB to figure out what is going wrong.
Obviously if you're not muted/banned you should've access :(

No. The app itself will fight against reverse proxies like Traefik to rewrite the URL unless it's configured to play ball.

Containers are designed to be ephemeral, so you're right that any change you make to the container directly will be killed on rebuild/redeploy, but that's why you define persistent storage for some parts of the container.

I see that the TrueCharts app doesn't catch that required config file (/etc/lighttpd/external.conf) in the config storage mount so you would have to add one in the Storage and Persistence section.

View attachment 55391

After clicking Add, you would choose the hostPath type, then select where on your host to put it, then the mountPath in the container where it will appear and the type "file", since we're not wanting to catch the whole of /etc/

You would then be able to edit that file from the host and it will be kept between container versions/deployments

That's pretty-much spot on.
Just be aware not-to file support tickets with our staff if you add customisations like these ;-)

 

[Rarity]

TL;DR
You have the middleware almost correct, just use ^https://([^\/]+)/?$ for your regex and remember to add redirect-pihole to your pihole app's settings in Ingress/Main Ingress/Traefik Middleware.

Here's how you do it.

What you want to do is documented at https://truecharts.org/charts/enterprise/traefik/redirect-regex-middleware/. Like you, I wanted to redirect traefick.<domain> -> traefick.<domain>/dashboard/ but you can do the same with <domain> -> <domain>/admin/ for your pihole app.

In the traefik app, I added a redirectRegex rule. Remember the name, you will need it later. The regex rule is taken straight from the truecharts docs. Apparently "/" is valid and you don't need "\/" (but I haven't tried it both ways). Note that the "redirectRegex" is not found in "Ingress", keep scrolling a while until you get to "Middlewares", there you will find "redirectRegex".

Then in the app you want to use this redirect middleware, (in my case traefik itself, for you it would be pihole), in the "Ingress" section, go to the "Traefik Middleware" subsection and add the name of the middleware you created.

We can see that the redirect is working:

 

[HJD]

TL;DR
You have the middleware almost correct, just use ^https://([^\/]+)/?$ for your regex and remember to add redirect-pihole to your pihole app's settings in Ingress/Main Ingress/Traefik Middleware.

Here's how you do it.

What you want to do is documented at https://truecharts.org/charts/enterprise/traefik/redirect-regex-middleware/. Like you, I wanted to redirect traefick.<domain> -> traefick.<domain>/dashboard/ but you can do the same with <domain> -> <domain>/admin/ for your pihole app.

In the traefik app, I added a redirectRegex rule. Remember the name, you will need it later. The regex rule is taken straight from the truecharts docs. Apparently "/" is valid and you don't need "\/" (but I haven't tried it both ways). Note that the "redirectRegex" is not found in "Ingress", keep scrolling a while until you get to "Middlewares", there you will find "redirectRegex".

View attachment 63477

Then in the app you want to use this redirect middleware, (in my case traefik itself, for you it would be pihole), in the "Ingress" section, go to the "Traefik Middleware" subsection and add the name of the middleware you created.

View attachment 63475

We can see that the redirect is working:

View attachment 63476

I can confirm this works for pihole and elegantly solves what the original post was trying to do, namely using traefik to auto-redirect to /admin when accessing the ingress with just the bare URL. @Migsi - you might want to try the above as well, if you're still interested in a solution that avoids directly adding/editing a config file to the container. @Rarity - thanks, this saved me a few minutes!