525 error when trying accessing domain externally using traefik and docker

Traefik Traefik v2 (latest)
1

Really struggling on this.... which is not unexpected since I'm pretty new to it, but still not sure where I'm going wrong. I'm informed mostly by this post.

Maybe it's because I'm doing a DNS challenge with cloudflare and don't have something set up properly there? If that were the case I'd be expecting to see some notable errors in the logs, but all I see is what is below.

Any thoughts? Anything look strange?

logs

time="2019-11-12T03:10:35Z" level=error msg="accept tcp [::]:8181: use of closed network connection" entryPointName=traefik
time="2019-11-12T03:10:35Z" level=error msg="accept tcp [::]:80: use of closed network connection" entryPointName=http
time="2019-11-12T03:10:35Z" level=error msg="accept tcp [::]:443: use of closed network connection" entryPointName=https
time="2019-11-12T03:10:38Z" level=info msg="Configuration loaded from file: /etc/traefik/traefik.yaml"

docker-compose.yml

version: "3.6"

services:
  traefik:
    container_name: traefik
    image: traefik:v2.0 
    restart: unless-stopped
    networks:
      - traefik_proxy
    ports:
      - 80:80    # The HTTP port
      - 443:443
      - 8181:8181 # The Web UI (enabled by --api)
    environment:
      - CF_API_EMAIL= "myemail@mydomain.com"
      - CF_API_KEY= "adkfgjeskfdgnvseirneriudgniesbieudghienvefd"
    volumes:
      - /volume1/docker/traefik/traefik.yml:/etc/traefik/traefik.yaml:ro
      - /volume1/docker/traefik/acme/acme.json:/acme.json
      - /volume1/docker/traefik/rules:/rules:ro
      - /var/run/docker.sock:/var/run/docker.sock/
    labels: 
      - traefik.enable=true
      - traefik.http.routers.traefik-api.rule=Host("traefik.mydomain.com") 
      - traefik.http.routers.traefik-api.entrypoints=http 
      - traefik.http.routers.traefik-api.middlewares=redirect@file 
      - traefik.http.routers.traefik-api-s.rule=Host("traefik.mydomain.com") 
      - traefik.http.routers.traefik-api-s.entrypoints=https 
      - traefik.http.routers.traefik-api-s.tls=true 
      - traefik.http.services.traefik-api.loadbalancer.server.port=8181

traefik.yml

log:
  level: error

entryPoints:
  http:
    address: ":80"

  https:
    address: ":443"

  traefik:
    address: ":8181"

api:
  insecure: true
  dashboard: true

serversTransport:
  insecureSkipVerify: true

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    network: proxynetwork

  file:
    directory: /rules
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: myemail@mydomain.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        delayBeforeCheck: 0

cert.yaml

  routers:
    certs:
      entryPoints:
        - http
        - https
      service: service-blank
      rule: Host("about:blank")
      tls:
        certResolver: letsencrypt
        domains:
          - main: "*.mydomain.com"
            sans:
              - mydomain.co
  services:
    service-blank:
      loadBalancer:
        servers:
          - url: "https://about.blank"

tls.yaml

tls:
  options:
    TLSv13:
      minVersion: VersionTLS13
      cipherSuites:
        - TLS_AES_128_GCM_SHA256
        - TLS_AES_256_GCM_SHA384
        - TLS_CHACHA20_POLY1305_SHA256
      sniStrict: true
        
    default:
      minVersion: VersionTLS12
      cipherSuites:
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      sniStrict: true

middleswares.yaml

http:
  middlewares:
    redirect:
      redirectScheme:
        scheme: https

    ipwhitelist:
      ipWhiteList:
        sourceRange:
          - "192.168.1.0/24"
        ipStrategy:
          depth: 0

    hsts:
      headers:
        sslRedirect: true
        stsPreload: true
        stsSeconds: 315360000
        stsIncludeSubdomains: true
2

What are expecting to see? about:blank is not a valid host name in the host rule and "https://about.blank" on the service is not likely to produce any meaningul result.

Please specify your query that returns the error. It cannot be https://about.blank this simply will not work. Also please specify what are you expecting to see at this query instead of a error, that is where do you expect traefik to route it.

Use debug log level, not error. According to google search results 525 is something that cloudflare returns when it has problems with certs calling web sites. I don't think that traefik use this code. There is probably something wrong with your configuration.

Exclude cloudflare from the equation (except for dnsChallege purposes), and try to access your site directly without cloud flare. Using curl and/or openssl s_client -connect could help if it's not clear what's happening from the browser.

Examine the certificate to find out what's wrong, two main options coming to mind, is that you are either serving default cert, or you are serving cert for wrong domain.

Remove all "embelishments" to get the basics working, for example, remove tls.yaml. Remove hsts and whitelist middlewares, although it does not look like you are using them. When you get basics working you can add them back.

Use traefik v2.0.4 - which is the latest.

Logs should have much more info, e.g. inormation of certificate requests, and erros if any. It also should dump the load configurations both static and dynamic that we must examine to determine if it refelect our expectation. Please post more complete debug log.

3

Thanks! Will do all of this :slight_smile:

4

This worked out great. Was able to get everything working based off this feedback :slight_smile:

1 Like