Hello, I was following your examples, and found that a problem is created when you redirect http-external to https-external. When an external user tries to access http://example.com, some browsers (tested on mobile safari) redirect to https://example.com:444, which won't get through the firewall since only 443 is port forwarded. This issue is not necessarily apparent because most browsers will try https first and get to the https-external entrypoint on the first try. But if you explicitly call http, the redirect doesn't (always?) work.
The solution I came up with is to redirect http-external to https. My instinct was telling me this opens up the same security hole that we were solving in the first place, but I tested this with local DNS entries, and it seems to hold. I suspect what is happening is that the redirect does not put the client straight through to the https entrypoint, but instead tells the client to make a new request using the https format (i.e., rewrites the url to https://example.org on port 443). This then comes back into the firewall and gets converted to port 444 before it hits traefik again. It seems to work.
I'll admit half of the reason I'm posting this is to let you know, and the other half of it is for you to let me know why this really is a security flaw and why I shouldn't use it.
Hello, I was following your examples, and found that a problem is created when you redirect http-external to https-external. When an external user tries to access http://example.com, some browsers (tested on mobile safari) redirect to https://example.com:444, which won't get through the firewall since only 443 is port forwarded. This issue is not necessarily apparent because most browsers will try https first and get to the https-external entrypoint on the first try. But if you explicitly call http, the redirect doesn't (always?) work.
The solution I came up with is to redirect http-external to https. My instinct was telling me this opens up the same security hole that we were solving in the first place, but I tested this with local DNS entries, and it seems to hold. I suspect what is happening is that the redirect does not put the client straight through to the https entrypoint, but instead tells the client to make a new request using the https format (i.e., rewrites the url to https://example.org on port 443). This then comes back into the firewall and gets converted to port 444 before it hits traefik again. It seems to work.
I'll admit half of the reason I'm posting this is to let you know, and the other half of it is for you to let me know why this really is a security flaw and why I shouldn't use it.