400 Bad Request The plain HTTP request was sent to HTTPS port

Traefik Traefik v2
1

Hi,

I'm setuping a bunch of services on docker with traefik.

I'm struggling with the setup for heimdall, which seems to be only accessible through https on 443.

With the following docker compose:

version: "3.9"

services:
  traefik:
    image: "traefik:latest"
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=ovh"
      - "--certificatesresolvers.myresolver.acme.email=a@b.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "8080:8080"
      - "443:443"
    environment:
      - "OVH_ENDPOINT=ovh-eu"
      - "OVH_APPLICATION_KEY=a"
      - "OVH_APPLICATION_SECRET=b"
      - "OVH_CONSUMER_KEY=c"
    volumes:
      - config-letsencrypt:/letsencrypt
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    restart: always
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`bbb.xxx.yyy`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
      - "traefik.http.middlewares.force-secure.redirectscheme.scheme=https"
      - "traefik.http.middlewares.force-secure.redirectscheme.permanent=true"
      - traefik.http.routers.http-catchall.rule=HostRegexp(`{any:.+}`)
      - traefik.http.routers.http-catchall.entrypoints=web
      - traefik.http.routers.http-catchall.middlewares=force-secure

  heimdall:
    image: lscr.io/linuxserver/heimdall:latest
    environment:
      - PUID=1028
      - PGID=100
      - TZ=Europe/London
    volumes:
      - config-heimdall:/config
    ports:
      - 444:443
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.heimdall.rule=Host(`aaa.xxx.yyy`)"
      - "traefik.http.routers.heimdall.entrypoints=websecure"
      - "traefik.http.routers.heimdall.tls.certresolver=myresolver"
      - "traefik.http.routers.heimdall.tls=true"
      - "traefik.http.services.heimdall.loadbalancer.server.port=443" 

volumes:
  config-letsencrypt:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.60,nolock,rw,soft"
      device: ":/volume2/apps/config/letsencrypt"
  config-heimdall:
    driver_opts:
      type: "nfs"
      o: "addr=192.168.0.60,nolock,rw,soft"
      device: ":/volume2/apps/config/heimdall"

I'm encountering this error:

400 Bad Request The plain HTTP request was sent to HTTPS port.

If I directly try to access heimdall through https://my-docker-ip:444 it works properly.

I found some people saying that I should add a "scheme=https":

- "traefik.http.services.heimdall.loadbalancer.server.scheme=https" but now I've another error:

Gateway Timeout

in traefik logs, I've this:

time="2023-03-11T12:59:03Z" level=debug msg="'504 Gateway Timeout' caused by: dial tcp 10.0.0.186:443: i/o timeout"

I also found some people mentionning that I should add insureSkipVerify=true in traefik configuration. If I do, it works, but now a bunch of other services doesn't work anymore and this doesn't sound like a good idea to globally bypass this check.

Any idea what is going on?

2

Traefik static config

      - --serversTransport.insecureSkipVerify=true

and dynamic config via labels

    labels:
      - traefik.enable=true
      - traefik.http.routers.myheimdall.rule=Host(`heimdall.example.com`)
      - traefik.http.services.myheimdall.loadbalancer.server.port=443
      - traefik.http.services.myheimdall.loadbalancer.server.scheme=https
      - traefik.http.routers.myheimdall.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=test:$$apr1$$H6uskkkW$$IgXLP6ewTrSuBkTrqE8wj/

works for me. Alternatively you can set up a servertransport with insecureSkipVerify just for heimdall, but for that you need to use a separate file via provider.file and then assign it to the service (docs).

Sadly it can not be done via docker-compose.yml alone, but you are welcome to upvote Github issues #9611 and #7893 to show your interest in this feature.