All webpages returning 404 Errors behind traefik (Both http and HTTPS)

quantumfla5h · June 19, 2025, 3:15am

Hi All, I'm completely new to Traefik and I'm coming over from Nginx Proxy Manager (NPM) which just "worked" for me. Right now, I'm having an issue where everything I serve returns a 404 error. To make my life simple, I've been creating the stacks within portainer and using it to create the labels. I currently have my own domain through cloudflare that I have CNAMEs set up for but when I start configuring a service (let's take bytestash for example):
Here's the compose file for traefik to set up the container:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    restart: unless-stopped
    security_opt:
      - no-new-privileges:true
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
      # - 443:443/tcp # Uncomment if you want HTTP3
      # - 443:443/udp # Uncomment if you want HTTP3
    environment:
      CF_DNS_API_TOKEN_FILE: /run/secrets/cf_api_token # note using _FILE for docker secrets
      # CF_DNS_API_TOKEN: ${CF_DNS_API_TOKEN} # if using .env
      TRAEFIK_DASHBOARD_CREDENTIALS: ${TRAEFIK_DASHBOARD_CREDENTIALS}
    secrets:
      - cf_api_token
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/jramos/docker/traefik/data/logs/traefik.log:/traefik.log
      - /home/jramos/docker/traefik/data/traefik.yml:/traefik.yml:ro
      - /home/jramos/docker/traefik/data/acme.json:/acme.json
      - /home/jramos/docker/traefik/data/dynamic_config.yml:/dynamic_config.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=web"
      - "traefik.http.routers.traefik.rule=Host(`traefik-dashboard.mydomain.net`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=${TRAEFIK_DASHBOARD_CREDENTIALS}"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=websecure"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik-dashboard.mydomain.net`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=cloudflare"
      - "traefik.http.routers.traefik-secure.tls.domains[0].main=mydomain.net"
      - "traefik.http.routers.traefik-secure.tls.domains[0].sans=*.mydomain.net"
      - "traefik.http.routers.traefik-secure.service=api@internal
#SECRETS OMITED
networks:
  proxy:
    external: true

and here's my static config file:

api:
  dashboard: true
  debug: true

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
  websecure:
    address: :443
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: ./dynamic_config.yml
certificatesResolvers:
  cloudflare:
    acme:
      email: myemail@email.com
      storage: acme.json
      caServer: https://acme-v02.api.letsencrypt.org/directory # prod (default)
     #  caServer: https://acme-staging-v02.api.letsencrypt.org/directory # staging
      dnsChallenge:
        provider: cloudflare
        #disablePropagationCheck: true # uncomment this if you have issues pulling certificates through cloudflare, By setting this flag to true disable>
        #delayBeforeCheck: 60s # uncomment along with disablePropagationCheck if needed to ensure the TXT record is ready before verification is attempt>
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"
log:
  filePath: "./traefik.log"
  format: json
  level: DEBUG
  maxBackups: 5
  compress: true

as far as I can tell, all of this is OK, because when I pull up the dashboard, and check the container logs, I get no errors:

compose file for docker:

services:
  bytestash:
    image: "ghcr.io/jordan-dalby/bytestash:latest"
    restart: always
    volumes:
      - /home/jramos/docker/bytestash/data:/data/snippets
    ports:
      - "5000:5000"
    environment:
      # See https://github.com/jordan-dalby/ByteStash/wiki/FAQ#environment-variables
      BASE_PATH: ""
      JWT_SECRET: #JWT SECRET
      TOKEN_EXPIRY: 24h
      ALLOW_NEW_ACCOUNTS: "true"
      DEBUG: "true"
      DISABLE_ACCOUNTS: "false"
      DISABLE_INTERNAL_ACCOUNTS: "false"

      # See https://github.com/jordan-dalby/ByteStash/wiki/Single-Sign%E2%80%90on-Setup for more info
      OIDC_ENABLED: "false"
      OIDC_DISPLAY_NAME: ""
      OIDC_ISSUER_URL: ""
      OIDC_CLIENT_ID: ""
      OIDC_CLIENT_SECRET: ""
      OIDC_SCOPES: ""

I have the following labels configured (through portainer)

traefik.http.routers.bytestash.rule=Host(`bytestash.domain.net`)
traefik.http.routers.bytestash.entrypoints=web
traefik.enable=true

everything looks like it's updated correctly

yet both http and https bring up 404 errors when browsing to the FQDN

I'm not sure what I'm missing, because even the traefik logs don't show any errors

bluepuma77 · June 19, 2025, 4:56am

You redirect all http requests globally to https, so a router will not get any http requests. You need to change entrypoint to websecure. Compare to simple Traefik example.

quantumfla5h · June 19, 2025, 2:05pm

I've tested changing that entrypoint from web to websecure but I still wind up getting 404 errors

bluepuma77 · June 19, 2025, 4:47pm

Enable and check Traefik debug log (doc) and also Traefik access log in JSON format (doc).

quantumfla5h · June 19, 2025, 6:25pm

There's nothing really that stood out to me in either log. I didnt see any errors and the access log shows the 404 error. Admittedly I'm not 100% sure what to be on the lookout for

{
  "ClientAddr": "172.70.176.83:52518",
  "ClientHost": "172.70.176.83",
  "ClientPort": "52518",
  "ClientUsername": "-",
  "DownstreamContentSize": 19,
  "DownstreamStatus": 404,
  "Duration": 54230,
  "GzipRatio": 0,
  "OriginContentSize": 0,
  "OriginDuration": 0,
  "OriginStatus": 0,
  "Overhead": 54230,
  "RequestAddr": "apollo.apophisnetworking.net",
  "RequestContentSize": 0,
  "RequestCount": 106,
  "RequestHost": "apollo.apophisnetworking.net",
  "RequestMethod": "GET",
  "RequestPath": "/",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/2.0",
  "RequestScheme": "https",
  "RetryAttempts": 0,
  "StartLocal": "2025-06-19T12:24:15.138926146-06:00",
  "StartUTC": "2025-06-19T18:24:15.138926146Z",
  "TLSCipher": "TLS_AES_128_GCM_SHA256",
  "TLSVersion": "1.3",
  "entryPointName": "websecure",
  "level": "info",
  "msg": "",
  "time": "2025-06-19T12:24:15-06:00"
}

bluepuma77 · June 19, 2025, 6:39pm

There is no router name and OriginStatus is 0. So Traefik does not match any router using rule with Host(), returning 404.

apollo.apophisnetworking.net != bytestash.domain.net

quantumfla5h · June 19, 2025, 7:15pm

the actual rule is Host(apollo.apophisnetworking.net) I had edited the print out for other reasons prior. Sorry. But yea the domain and rule match in the configs. The screenshot above from the router is correct

bluepuma77 · June 20, 2025, 4:17am

Did you assign the certResolver to websecure entrypoint or router? Compare to simple Traefik example.
.

Topic		Replies	Views
Get 404 page not found with Portainer behind Traefik Traefik v2 docker	3	4018	November 3, 2022
Traefic dashboard 404 error Traefik v3 (latest) docker	1	228	July 5, 2024
Help with 404 error Traefik v2 docker , letsencrypt-acme , middleware	15	11185	April 11, 2024
404 Error, not routing to external server Traefik v3 (latest) docker	2	934	August 23, 2024
On HTTPS returns "404 page not found" (traefik:v1.7.14) Traefik v1 docker	5	10989	March 15, 2022

All webpages returning 404 Errors behind traefik (Both http and HTTPS)

Related topics