Connection reset by peer When curl https protocol

Traefik Traefik v3 (latest)
1

Hi everyone,

I’m building a CI system using Traefik and Drone. At first glance, everything seemed fine because both the Traefik and Drone dashboards were working (with https). However, I discovered that the Drone webhook isn’t functioning, and I can’t find any relevant information in the Traefik access logs or error logs.

When I tried running curl -X POST myhttpsDroneroute I received the error: Recv failure: Connection reset by peer. Interestingly, I get the same result when I try to curl any other route with protocol https.

I’m out of ideas at this point. Could someone with more expertise help me figure this out?

The static config: traefik.yml:

api:
  dashboard: true
  insecure: true

log:
  filePath: '/log/traefik.log'
  level: INFO

accessLog:
  filePath: '/log/access.log'

entryPoints:
  web:
    address: ':80'
  websecure:
    address: ':443'
    http:
      tls:
        certResolver: letsencrypt

providers:
  file:
    directory: /data/traefik/config
    watch: true
  docker:
    endpoint: 'unix:///var/run/docker.sock'
    exposedByDefault: false

certificatesResolvers:
  letsencrypt:
    acme:
      email: myemail
      storage: /letsencrypt/acme.json
      dnsChallenge:
        provider: alidns

docker-compose.yml:

services:
  traefik:
    image: traefik:3.3.1
    container_name: traefik
    ports:
      - '80:80'
      - '443:443'
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./letsencrypt:/letsencrypt
      - ./config/static:/etc/traefik
      - ./config/dynamic:/data/traefik/config
      - ./log/:/log/
      - /etc/timezone:/etc/timezone
      - /etc/localtime:/etc/localtime
    environment:
      - ALICLOUD_ACCESS_KEY=myAliCloudAccessKey
      - ALICLOUD_SECRET_KEY=myAliCloudSecretKey
    networks:
      - traefiknet
    labels:
      - 'traefik.enable=true'
      - 'traefik.http.routers.traefik.rule=Host(`mydomian`) && (PathPrefix(`/traefik`) || PathPrefix(`/api`))'
      - 'traefik.http.routers.traefik.service=api@internal'
      - 'traefik.http.routers.traefik.middlewares=traefik-strip,traefik-auth'
      - 'traefik.http.middlewares.traefik-strip.stripprefix.prefixes=/traefik'
      - 'traefik.http.middlewares.traefik-auth.basicauth.users=user:xxxx'

networks:
  traefiknet:
    name: devnet
    external: true

And the dynamic config for Drone CI Which running docker container within same network as traefik:

http:
  routers:
    drone:
      rule: 'Host(`myhttpsDroneroute`)'
      service: drone
      tls: {}
  services:
    drone:
      loadBalancer:
        servers:
          - url: 'innerUrl:80' # protocol: http, path: drone-server, port: 80
2

Remove

if you want to use the certResolver already assigned to entrypoint.

Add the protocol to URL:

Add the protocol to URL:

3

Thanks for your reply. I tried removing tls: {}, but the issue remains the same.

The YAML file content and the curl link are fully compliant with the protocol. However, since Akismet hides posts that include links, I’ve modified them to avoid this issue.

4

If innerUrl and myhttpsDroneroute include the protocol, then it should work.

The error usually happens when you use http on https port (or https on http port). Is the target service configured correctly?

Enable and check Traefik access in JSON format (doc) during request.

5

What’s weird about this issue is that requests work fine in the browser, but when I use tools like curl or Postman to simulate a browser request (e.g., to get Drone user info or get traefik version), it always throws a Connection reset error. I’m kinda stuck trying to figure out where the problem actually is.

6

The error probably happens during the TCP handshake phase. Since the handshake doesn’t even succeed, Traefik doesn’t log anything in the access logs.

7

curl http://example.com:443 results in Connection reset by peer. So the issue is using http when connecting to a https-only port.

I don't think this is a Traefik issue, as Traefik usually has working both http and https on websecure entrypoints with TLS enabled. (People complained here that they actually can't disable http on websecure.)

Enable and check Traefik debug log (doc). It will show all requests, even TLS failed ones.

8

Thanks for your patience! I’ve changed the log level to DEBUG, and now I can see the log info when making requests. It says:
TLS handshake error from A_External_IP:51805: write tcp 172.18.0.2:443->A_External_IP:51805: write: connection reset by peer.

By running the docker network inspect command, I found out that 172.18.0.2 is actually the IP of the Traefik container:

{
    "Name": "traefik",
    "EndpointID": "the_id_content",
    "MacAddress": "02:42:ac:12:00:02",
    "IPv4Address": "172.18.0.2/16",
    "IPv6Address": ""
}