404 after a while - but only in chrome

soerendohmen · May 8, 2023, 2:24pm

I had a working configuration. I added a tcp-router. Unfortunately I'm not sure if this caused the failure, because it only fails on Chrome.
Behaviour: After a fresh start everything is ok.
After 5 Minutes: Some of the Services are not reacheable any more (404) and one Service redirects to another Service. It does not matter if this is docker or file.
I will add further information tomorrow, but maybe someone already has a hint for me.
Regards

bluepuma77 · May 9, 2023, 6:49am

Share your Traefik static and dynamic config, and docker-compose.yml if used.

Make sure to use a current Traefik version.

soerendohmen · May 9, 2023, 7:52am

Here you go.

#docker-compose.yml
version: "3.7"

services:
  reverse-proxy:
    image: traefik:2.9.10
    ports:
      - "80:80"
      - "443:443"
    restart: always
    networks:
      - traefik_proxy
    labels:
      traefik.enable: "true"
      traefik.http.routers.traefik.rule: Host(`traefik.domain3.de`)
      traefik.http.routers.traefik.entrypoints: websecure
      traefik.http.routers.traefik.tls.certresolver: default
      traefik.http.routers.traefik.service: api@internal
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - /etc/localtime:/etc/localtime:ro
      - /etc/timezone:/etc/timezone:ro
      - ./config:/etc/traefik
networks:
  traefik_proxy:
    name: traefik_proxy

#config/traefik.yml(static)
api:
  dashboard: true
certificatesResolvers:
  default:
    acme:
      email: xyz@zxy.de
      storage: /etc/traefik/acme/acme.json
      httpChallenge:
        entryPoint: web
entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          scheme: https
          to: websecure
  websecure:
    address: :443
    http:
      middlewares:
        - secHeaders@file
providers:
  file:
    filename: /etc/traefik/static.yml
  docker:
    exposedByDefault: false
    network: traefik_proxy
    endpoint: unix:///var/run/docker.sock
metrics:
  prometheus:
    manualRouting: true
experimental:
  plugins:
    simplecache:
      moduleName: "github.com/traefik/plugin-simplecache"
      version: "v0.2.1"

#config/static.yml(dynamic)
tls:
  options:
    default:
      minVersion: VersionTLS12
      sniStrict: true
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      curvePreferences:
        - CurveP521
        - CurveP384
    minTLS13:
      minVersion: VersionTLS13
tcp:
  routers:
    router1:
      entryPoints:
        - websecure
      rule: HostSNI(`relaunch.domain1.de`) || HostSNI(`traefik-za.domain2.de`)
      tls:
        passthrough: true
      service: router1-svc
  services:
    router1-svc:
      loadBalancer:
        servers:
          - address: "192.168.178.235:443"
http:
  middlewares:
    secHeaders:
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        frameDeny: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000
        customRequestHeaders:
          X-Frame-Options: "SAMEORIGIN"
        customFrameOptionsValue: "SAMEORIGIN"
        sslProxyHeaders:
          X-Forwarded-Proto: "https"
    simplecache:
      plugin:
        simplecache:
          path: /etc/traefik/tmp
  routers:
    router2:
      entryPoints:
        - websecure
      rule: Host(`dav.domain1.de`)
      tls:
        certresolver: default
      service: router2-svc
      middlewares:
        - simplecache@file
    router3:
      entryPoints:
        - websecure
      rule: Host(`subdomain.domain3.de`)
      tls:
        certresolver: default
      service: router3-svc
      middlewares:
        - simplecache@file
    router4:
      entryPoints:
        - websecure
      rule: HostRegexp(`domain2.de`, `{subdomain:[a-z]+}.domain2.de`, `{subdomain:[a-z]+}.subdomain.domain2.de`, `{subdomain:[a-z]+}.subdomain-dev.domain2.de`)
      tls:
        certresolver: default
        domains:
          - domain2.de
          #... 
      service: router4-svc
    metrics:
      entryPoints:
        - websecure
      rule: Host(`traefik.domain3.link`) && PathPrefix(`/metrics`)
      tls:
        certresolver: default
      service: prometheus@internal
  services:
    router2-svc:
      loadBalancer:
        servers:
          - url: "http://192.168.178.89:8080"
        passHostHeader: true
    router3-svc:
      loadBalancer:
        servers:
          - url: "http://192.168.178.66:8080"
        passHostHeader: true
    router4-svc:
      loadBalancer:
        servers:
          - url: "https://192.168.178.235"
        passHostHeader: true

bluepuma77 · May 9, 2023, 2:52pm

Have you tried to replace your target service with traefik/whoami and reproduce the issue? Is Chrome sending other headers than another browser? You seem to use some caching, try disabling that.

I don't understand what you do with TLS. You use certresolver, assign it to some routers, but some use passthrough. Should they all use the same cert? How does your target service get the cert?

soerendohmen · May 17, 2023, 3:42pm

I will be answering hopefully on thursday.