The Traefik API gateway/proxy comes with a whole bunch of built-in policies. Traefik calls them "middlewares". There is a middleware named "redirectscheme" which lets you force a redirect from one protocol scheme to another, e.g. http to https. There is however one pitfall: this middleware does not support to be applied to a TLS-enabled router. So, you will have to set up a second router which is only there for the redirect. You will end up with something like this:

docker run -dit \
--name my_service_behind_traefik \
--label traefik.http.routers.viahttp.rule='Host(``)' \
--label traefik.http.routers.viahttp.entrypoints=http \
--label traefik.http.routers.viahttp.middlewares=https_only \
--label traefik.http.routers.viahttps.rule='Host(``)' \
...the rest of your actual router config...
--label traefik.http.middlewares.https_only.redirectscheme.scheme=https \
...the rest of your run command...

As you can see above, you will have to set up two routers:

  • one for http (in my example "viahttp")
  • one for https (in my example "viahttps")

The "viahttp" router only serves the purpose of activating a redirect middleware (in my example "https_only") to point the client to the TLS-enabled router ("viahttps").

Not a big deal if you know it. May cost time if you don't.