I had a working configuration. I added a tcp-router. Unfortunately I'm not sure if this caused the failure, because it only fails on Chrome.
Behaviour: After a fresh start everything is ok.
After 5 Minutes: Some of the Services are not reacheable any more (404) and one Service redirects to another Service. It does not matter if this is docker or file.
I will add further information tomorrow, but maybe someone already has a hint for me.
Regards
Share your Traefik static and dynamic config, and docker-compose.yml
if used.
Make sure to use a current Traefik version.
Here you go.
#docker-compose.yml
version: "3.7"
services:
reverse-proxy:
image: traefik:2.9.10
ports:
- "80:80"
- "443:443"
restart: always
networks:
- traefik_proxy
labels:
traefik.enable: "true"
traefik.http.routers.traefik.rule: Host(`traefik.domain3.de`)
traefik.http.routers.traefik.entrypoints: websecure
traefik.http.routers.traefik.tls.certresolver: default
traefik.http.routers.traefik.service: api@internal
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- /etc/localtime:/etc/localtime:ro
- /etc/timezone:/etc/timezone:ro
- ./config:/etc/traefik
networks:
traefik_proxy:
name: traefik_proxy
#config/traefik.yml(static)
api:
dashboard: true
certificatesResolvers:
default:
acme:
email: xyz@zxy.de
storage: /etc/traefik/acme/acme.json
httpChallenge:
entryPoint: web
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
scheme: https
to: websecure
websecure:
address: :443
http:
middlewares:
- secHeaders@file
providers:
file:
filename: /etc/traefik/static.yml
docker:
exposedByDefault: false
network: traefik_proxy
endpoint: unix:///var/run/docker.sock
metrics:
prometheus:
manualRouting: true
experimental:
plugins:
simplecache:
moduleName: "github.com/traefik/plugin-simplecache"
version: "v0.2.1"
#config/static.yml(dynamic)
tls:
options:
default:
minVersion: VersionTLS12
sniStrict: true
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
curvePreferences:
- CurveP521
- CurveP384
minTLS13:
minVersion: VersionTLS13
tcp:
routers:
router1:
entryPoints:
- websecure
rule: HostSNI(`relaunch.domain1.de`) || HostSNI(`traefik-za.domain2.de`)
tls:
passthrough: true
service: router1-svc
services:
router1-svc:
loadBalancer:
servers:
- address: "192.168.178.235:443"
http:
middlewares:
secHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
customRequestHeaders:
X-Frame-Options: "SAMEORIGIN"
customFrameOptionsValue: "SAMEORIGIN"
sslProxyHeaders:
X-Forwarded-Proto: "https"
simplecache:
plugin:
simplecache:
path: /etc/traefik/tmp
routers:
router2:
entryPoints:
- websecure
rule: Host(`dav.domain1.de`)
tls:
certresolver: default
service: router2-svc
middlewares:
- simplecache@file
router3:
entryPoints:
- websecure
rule: Host(`subdomain.domain3.de`)
tls:
certresolver: default
service: router3-svc
middlewares:
- simplecache@file
router4:
entryPoints:
- websecure
rule: HostRegexp(`domain2.de`, `{subdomain:[a-z]+}.domain2.de`, `{subdomain:[a-z]+}.subdomain.domain2.de`, `{subdomain:[a-z]+}.subdomain-dev.domain2.de`)
tls:
certresolver: default
domains:
- domain2.de
#...
service: router4-svc
metrics:
entryPoints:
- websecure
rule: Host(`traefik.domain3.link`) && PathPrefix(`/metrics`)
tls:
certresolver: default
service: prometheus@internal
services:
router2-svc:
loadBalancer:
servers:
- url: "http://192.168.178.89:8080"
passHostHeader: true
router3-svc:
loadBalancer:
servers:
- url: "http://192.168.178.66:8080"
passHostHeader: true
router4-svc:
loadBalancer:
servers:
- url: "https://192.168.178.235"
passHostHeader: true
Have you tried to replace your target service with traefik/whoami and reproduce the issue? Is Chrome sending other headers than another browser? You seem to use some caching, try disabling that.
I don't understand what you do with TLS. You use certresolver, assign it to some routers, but some use passthrough
. Should they all use the same cert? How does your target service get the cert?
I will be answering hopefully on thursday.