Search code examples
kubernetes-ingresstraefiktraefik-ingressingress-route

Traefik IngressRoute redirect doesn’t work

I have setup following IngressRoute for default path and wp-*

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: external-1
  namespace: marketing
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`example.com`) || Host(`www.example.com`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
      middlewares:
        - name: https-redirect
  tls:
    secretName: prod-cert

and

apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: wp-admin-1
  namespace: marketing
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`example.com`) || Host(`www.example.com`) && PathPrefix(`/wp-login.php`,`/wp-login.php/`, `/wp-admin/`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
      middlewares:
        - name: secured-restricted
  tls:
    secretName: prod-cert

Middleware :

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: secured-restricted
  namespace: marketing
spec:
  chain:
    middlewares:
    - name: https-redirect
    - name: permited-ips

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: https-redirect
  namespace: marketing
spec:
  redirectScheme:
    scheme: https
    permanent: true

---

apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
  name: permited-ips
  namespace: marketing
spec:
  ipWhiteList:
    sourceRange:
    - #.#.#.#/28

---

https://www.example.com --> works

https://example.com --> Get Forbidden

https://example.com works only when I try to access it from whitelisted IP (#.#.#.#/28)

So looks like external-1 IngressRoute is not getting hit.

What is wrong with this setup ?

Solution

  • Splitting the rules in following way fixed the issue.

    apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: external-1
  namespace: marketing
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`example.com`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
    - match: Host(`www.example.com`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
      middlewares:
        - name: https-redirect
  tls:
    secretName: prod-cert

    and

    apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: wp-admin-1
  namespace: marketing
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`example.com`) && PathPrefix(`/wp-login.php`,`/wp-login.php/`, `/wp-admin/`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
    - match: Host(`www.example.com`) && PathPrefix(`/wp-login.php`,`/wp-login.php/`, `/wp-admin/`)
      kind: Rule
      services:
        - name: wordpress
          port: 80
      middlewares:
        - name: secured-restricted
  tls:
    secretName: prod-cert