Application is unaccessible besides the traefik dashboard

I there! Im having trouble running an application behind https. The certificate generates successfully with letsencrypt. Locally the app runs great in every route, /manager and /auth/admin. When adding the SSL layer, the only route working properly is the traefik dashboard at /dashboard. The other ones returns me 404 codes and logs shows me nothing, not even errors... I am not understanding the basics of traefik? I am missing something abvious? Sorry, this is my first time setting up a reverse proxy with SSL, apologies in advance for the troubles

I tried to modify this original version which only works locally: ragapp/deployments/multiple-ragapps/docker-compose.yml at main · ragapp/ragapp · GitHub

And my updated version is as the following:


services:
  traefik:
    image: "traefik:v3.1"
    ports:
      - "80:80"
      - "443:443"  # Add port 443 for HTTPS
    labels:
      - traefik.enable=true
      - traefik.docker.network=ragapp-network
      # Keycloak OpenID plugin configuration
      - traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.KeycloakURL=https://intelligence.patagonian.com/auth
      - traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.ClientID=ragapp
      - traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.ClientSecret=jh4yDlJ5QsBSafVNaqqLxEG3vKcYyNgD
      - traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.KeycloakRealm=ragapp
      - traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.Scope=openid
      # Admin authentication middleware
      - traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.UserClaimName=X-Forwarded-Roles
      - traefik.http.middlewares.ragapp-keycloakopenid.plugin.keycloakopenid.UserHeaderName=roles
      - traefik.http.middlewares.admin-auth.plugin.headauth.header.name=roles
      - traefik.http.middlewares.admin-auth.plugin.headauth.allowed[0]=[admin-manager]
      - traefik.http.middlewares.admin-auth.plugin.headauth.methods[0]=GET
      - traefik.http.middlewares.admin-auth.plugin.headauth.methods[1]=POST
      - traefik.http.middlewares.admin-auth.plugin.headauth.methods[2]=PUT
      - traefik.http.middlewares.admin-auth.plugin.headauth.methods[3]=DELETE
      # Uncomment the following lines if you want to use Basic Auth
      # - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME:-admin}:${HASHED_PASSWORD:-$$apr1$$3gG256rA$$BomHrC/uMhL807k/t7Wd6/}
      # Add Let's Encrypt and domain-specific configuration
      - traefik.http.routers.traefik-https.rule=Host(`intelligence.patagonian.com`)
      - traefik.http.routers.traefik-https.entrypoints=websecure
      - traefik.http.routers.traefik-https.tls=true
      - traefik.http.routers.traefik-https.tls.certresolver=myresolver
      - traefik.http.routers.traefik-https.service=api@internal
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
        #      - ${STATE_DIR}/traefik/traefik.yml:/traefik_config.yml:ro
      - ./letsencrypt:/letsencrypt # Mount for Let's Encrypt data
    command:
      #- --configFile=/traefik_config.yml
      - --api.dashboard=true
      - --log.level=DEBUG
      - --accesslog=true
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --certificatesresolvers.myresolver.acme.httpchallenge=true
      - --certificatesresolvers.myresolver.acme.httpchallenge.entrypoint=web
      - --certificatesresolvers.myresolver.acme.email=benjamin.bascary@patagoniansys.com
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json
      - --experimental.plugins.keycloakopenid.moduleName=github.com/Gwojda/keycloakopenid
      - --experimental.plugins.keycloakopenid.version=v0.1.34
      - --experimental.plugins.headauth.moduleName=github.com/poloyacero/headauth
      - --experimental.plugins.headauth.version=v0.0.1
    networks:
      - ragapp-network

  keycloak:
    image: quay.io/keycloak/keycloak:25.0.2
    command: start-dev --import-realm --hostname=https://intelligence.patagonian.com/auth
    ports:
      - "8080:8080"
    labels:
      - traefik.enable=true
      - traefik.http.services.keycloak.loadbalancer.server.port=8080
      - traefik.http.routers.keycloak.rule=PathPrefix(`/auth`)
      - traefik.http.middlewares.keycloak-strip-path.stripprefix.prefixes=/auth
      - traefik.http.routers.keycloak.middlewares=keycloak-strip-path
    environment:
      - KEYCLOAK_ADMIN=admin
      - KEYCLOAK_ADMIN_PASSWORD=admin
    volumes:
      - ${STATE_DIR}/keycloak/example/:/opt/keycloak/data/
    networks:
      - ragapp-network
    depends_on:
      - traefik

  manager:
    image: ${MANAGER_IMAGE:-ragapp/manager:latest}
    build: ../../src/manager
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ${STATE_DIR}:/app/data
    environment:
      - BASE_URL=/manager
      - RAGAPP_IMAGE=${RAGAPP_IMAGE:-ragapp/ragapp:latest}
      - CHAT_REQUEST_LIMIT_THRESHOLD=20
      - STATE_DIR=${STATE_DIR}
      - STATE_DIR_LOCAL=/app/data
    labels:
      - traefik.enable=true
      - traefik.http.services.app.loadbalancer.server.port=8000
      - traefik.http.routers.admin-manager.rule=PathPrefix(`/manager`)
      - traefik.http.middlewares.strip-manager-path.stripprefix.prefixes=/manager
      - traefik.http.routers.admin-manager.middlewares=ragapp-keycloakopenid,admin-auth,strip-manager-path
    networks:
      - ragapp-network
    depends_on:
      - traefik
      - keycloak

networks:
  ragapp-network:
    name: ragapp-network

What does Traefik debug log and Traefik access log tell you? What does Traefik dashboard tell you? Are the target services recognized?

And maybe for starters you should strip the whole config down, remove plugins, then re-add them bit by bit. Compare to simple Traefik example.