Another "Can’t Access Dashboard on HTTPS"

Traefik Traefik v2
1

I read almost all threads in this forum and outside about accessing dashboard on HTTPS.

Note: I'm using Kamal, so the setup below may be slightly different than the standard Traefik, but I believe the concepts remain the same.

I successfully configured Traefik as a dynamic, transparent/TLS pass-through reverse proxy and load balancer on Linode. Behind the load balancer (IP 1x9.1y4.1z1.121) there are a couple of backend servers (including one with IP 1x2.1y4.2x4.79) that seem to properly work as expected (redirection, SSL certificate generation, etc.).

However, I cannot access the Traefik dashboard in secure mode.

Here is the configuration:

# deploy.yml

# ...

# Configure custom arguments for Traefik
traefik:
  options:
    publish:
      - "443:443"
      - "8080:8080"
    volume:
      - "/letsencrypt/acme.json:/letsencrypt/acme.json"
  args:
    entryPoints.web.address: ":80"
    entryPoints.websecure.address: ":443"

    entryPoints.web.forwardedHeaders.trustedIPs: "1x9.1y4.1z1.121,127.0.0.1/32,1x2.1y8.2z5.0/24"
    entryPoints.web.proxyProtocol.trustedIPs: "1x9.1y4.1z1.121,127.0.0.1/32,1x2.1y8.2z5.0/24"
    entryPoints.websecure.forwardedHeaders.trustedIPs: "1x9.1y4.1z1.121,127.0.0.1/32,1x2.1y8.2z5.0/24"
    entryPoints.websecure.proxyProtocol.trustedIPs: "1x9.1y4.1z1.121,127.0.0.1/32,1x2.1y8.2z5.0/24"

    certificatesresolvers.letsencrypt.acme.email: "my@email.com"
    certificatesresolvers.letsencrypt.acme.storage: "/letsencrypt/acme.json"
    certificatesresolvers.letsencrypt.acme.dnschallenge: true
    certificatesresolvers.letsencrypt.acme.dnschallenge.provider: linode

    api.dashboard: true
    api.insecure: false

  labels:
    # Dashboard configuration (not working)
    traefik.enable: "true"
    traefik.http.routers.dashboard.tls: true
    traefik.http.routers.dashboard.rule: Host(`traefik.mywebsite.com`) # (Host(`www.traefik.mywebsite.com`) || Host(`traefik.mywebsite.com`)) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`)) 
    traefik.http.routers.dashboard.service: "api@internal"
    traefik.http.routers.dashboard.middlewares: "auth"
    traefik.http.middlewares.auth.basicauth.users: test:$2y$05$H2o72tMaO.TwY1wNQUV1K.fhjRgLHRDWohFvUZOJHBEtUXNKrqUKi

  env:
    secret:
      - LINODE_TOKEN
    clear:
      LINODE_EMAIL: "my@email.com"


# Deploy to these servers.
servers:
  web:
    hosts:
      - 1x2.1y4.2z4.79
    options:
      "add-host": host.docker.internal:172.17.0.1
    labels:
      traefik.http.routers.www_mywebsite_com.rule: Host(`www.mywebsite.com`) || Host(`mywebsite.com`)
      traefik.http.routers.www_mywebsite_com.middlewares: addhttpswww

      traefik.http.routers.www_mywebsite_com_secure.rule: Host(`www.mywebsite.com`) || Host(`mywebsite.com`)
      traefik.http.routers.www_mywebsite_com_secure.middlewares: addhttpswww

      traefik.http.routers.www_mywebsite_com_secure.tls: true
      traefik.http.routers.www_mywebsite_com_secure.tls.certresolver: letsencrypt
      traefik.http.routers.www_mywebsite_com_secure.tls.domains[0].main: "mywebsite.com"
      traefik.http.routers.www_mywebsite_com_secure.tls.domains[0].sans: "*.mywebsite.com" 

      traefik.http.middlewares.addhttpswww.redirectregex.regex: ^(?:http|https)://(?:www\.)?(.*)
      traefik.http.middlewares.addhttpswww.redirectregex.replacement: "https://www.$1"
      
# ...

Using the above configuration, I tried accessing the dashboard without success at URLs like:

  • http://traefik.mywebsite.com:8080/ > This site can’t be reached
  • https://traefik.mywebsite.com:8080/ > This site can’t be reached
  • http://www.traefik.mywebsite.com:8080/ > This site can’t be reached
  • https://www.traefik.mywebsite.com:8080/ > This site can’t be reached
  • http://traefik.mywebsite.com/dashboard/ > This site can’t be reached
  • https://traefik.mywebsite.com/dashboard/ > This site can’t be reached
  • http://www.traefik.mywebsite.com/dashboard/ > This site can’t be reached
  • https://www.traefik.mywebsite.com/dashboard/ > This site can’t be reached
  • http://mywebsite.com:8080/ > This site can’t be reached
  • http://www.mywebsite.com:8080/ > This site can’t be reached
  • https://mywebsite.com:8080/ > This site can’t be reached
  • https://www.mywebsite.com:8080/ > This site can’t be reached
  • http://1x2.1y4.2z4.79:8080/dashboard/ > This site can’t be reached
  • https://1x2.1y4.2z4.79:8080/dashboard/ > This site can’t be reached

When I use api.insecure: true then the only URLs that work for accessing the dashboard are:

  • http://1x2.1y4.2z4.79:8080/ > Works but in insecure mode
  • http://1x2.1y4.2x4.79:8080/dashboard/ Works but in insecure mode

Here is the dashboard in insecure mode:

Traefik-ss-01
Traefik-ss-011920×2101 105 KB

Here is the routers detail:

Traefik-ss-02-routers-detail-b
Traefik-ss-02-routers-detail-b2958×1296 252 KB

What am I missing? Do I need another piece of middleware to perform some sort of redirect/mapping?

2

Is the DNS for your domain pointing to the right IP of the Traefik service?

Check and compare to simple Traefik example.

3

I think it's so, but I'm new to Traefik and not so experienced in networking. How can I ensure that the DNS for the domain is pointing to the right IP of the Traefik service?

Maybe, this DNS Zone File content (note: 1x9.1y4.1z1.121 is the IP of the node balancer and reverse proxy) compared to the configuration in my previous message can help:

; mywebsite.com [1913505]
$TTL 86400
@  IN  SOA  ns1.linode.com. my\.email.com. 2021000011 14400 14400 1209600 86400
@  NS  ns1.linode.com.
@  NS  ns2.linode.com.
@  NS  ns3.linode.com.
@  NS  ns4.linode.com.
@  NS  ns5.linode.com.
@  MX  10  mail.mywebsite.com.
@     A  1x9.1y4.1z1.121
mail  A  1x9.1y4.1z1.121
www   A  1x9.1y4.1z1.121
@     AAAA  2xx1:7yy1:1::8zz0:a179
mail  AAAA  2xx1:7yy1:1::8zz0:a179
www   AAAA  2xx1:7yy1:1::8zz0:a179

I seen the linked configuration file and, a part

  • the private network proxy (that in my understanding I'm resolving to the container's host IP with the use of "add-host": host.docker.internal:172.17.0.1, which allows accessing services like database, Redis, etc. that run on the host),
  • the remotion of entrypoints.websecure.asDefault=true (because I'm using Traefik v2), and
  • a different way to handle redirection from http to https (really, in my case, to https://www),

it seems to be functionally the same as mine.

5

I added the following to the DNS settings

traefik      CNAME  mywebsite.com.

And updated the dashboard-related configuration to:

  labels:
    # Dashboard configuration (working only with https://traefik.mywebsite.com/dashboard/, not with http)
    traefik.http.routers.dashboard.rule: Host(`traefik.mywebsite.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
    traefik.http.routers.dashboard.service: api@internal
    traefik.http.routers.dashboard.middlewares: redirect-to-https, auth
    traefik.http.middlewares.auth.basicauth.users: admin:$apr1$9I9yC5hW$dVDLOJHBYsvBne9jn.4Kk1
    traefik.http.routers.dashboard.tls: true
    traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https # <<< Added this

Now the Traefik dashboard seems to work over HTTPS by accessing https://traefik.mywebsite.com/dashboard/.

However, if I access http://traefik.mywebsite.com/dashboard/ then the browser displays a my website page (not the basic login to the Traefik dashboard). I think it's normal as of settings, but I'd like to force the use of/redirect to https for accessing the Traefik dashboard. How to do that?