Catchall router that returns 503 Service Unavailable response code

rtribotte · May 18, 2021, 10:46am

Hello everybody,

This topic exists to provide an example for a catchall non-TLS router that will make unmatched requests answered by a 503 Service Unavailable response code. It could be adapted as a TLS router for HTTPS.

The example below is only a file provider version (yaml) of the configuration, thus if anyone wants to adapt it for other providers, it will be gladly welcomed.

Static configuration (traefik.yaml):

entrypoints:
  web:
    address: :80

providers:
  file:
    filename: dynamic.yaml

Dynamic configuration (dynamic.yaml):

http:
  routers:
    catchall:
      # attached only to web entryPoint
      entryPoints:
        - "web"
      # catchall rule
      rule: "PathPrefix(`/`)"
      service: unavailable
      # lowest possible priority
      # evaluated when no other router is matched
      priority: 1

  services:
    # Service that will always answer a 503 Service Unavailable response
    unavailable:
      loadBalancer:
        servers: {}

brunocascio · May 21, 2021, 1:26pm

Hey @rtribotte ,

Does it work with docker swarm provider?

brunocascio · May 21, 2021, 7:44pm

Ok, this is the solution I found for docker swarm provider:

I've just added these lines:

traefik:
    image: traefik:v2.4
    ...
    deploy:
      labels:
        - "traefik.enable=true"
        - "traefik.http.routers.traefik-502.entrypoints=http"
        - "traefik.http.routers.traefik-502.rule=PathPrefix(`/`)"
        - "traefik.http.routers.traefik-502.priority=1"
        - "traefik.http.services.traefik-502.loadbalancer.server.port=0"

With the above code, any not registered rule or with empty backends (without up replicas) will throw 502 instead of 404

PS: I did not define any service for that, just mapping the same traefik service to an invalid port

Full script here: Traefik fix 502 for empty backends · GitHub

gelo22 · February 1, 2024, 3:34pm

This not works for https

karanbir · June 23, 2024, 11:15am

yeah https does not work, any idea how with https entrypoint also this can work?

bluepuma77 · June 23, 2024, 11:41am

This only works with valid TLS certs, otherwise the browser/client will show an error. So the only thing you could do is catchall on sub-domains (of one domain) via wildcard.

karanbir · June 23, 2024, 2:34pm

what about someone binds my IP with his/ her domain? how to catch that?

bluepuma77 · June 23, 2024, 3:18pm

You can do a catchall on https/443 with HostSNI(`*`). Traefik will use a default TLS cert. The browser will most probably show an error, but user can continue. Then catchall works as usual.

karanbir · June 23, 2024, 3:39pm

u mean a TCP route using HostSNI(*)?

can I use 443 again? since 443 was being used for https!

Topic		Replies	Views
TCP catch-all router issue Traefik v2 docker-swarm , tcp	12	3831	June 27, 2022
Can't set catchall rule for unencrypted traffic to port 443 Traefik v2 docker , file , tcp	6	304	March 2, 2024
503 issue, server and router up Traefik v2 docker , file , middleware	10	732	July 19, 2023
Traefik 2 only publishes port 80 and ignores 443 and dashboard port on docker swarm Traefik v2 docker-swarm	2	2213	April 8, 2020
Catchall and redirect to other site (could be external) Traefik v2 docker , file	0	602	February 23, 2022

Catchall router that returns 503 Service Unavailable response code

Related topics