Consul connect, backend in https instead http

Traefik Traefik v2
1

Hello,
Following this thread, I'm looking for explanations and help.

Configurations:

  • Ubuntu 20.04
  • Nomad 1.1.6
  • Consul 1.10.3
  • Traefik 2.5.3

Problem is, when I used consul connect to communicate between app and database. Traefik have strange behavior (for me, I don't know... :pensive:)

Traefik send to wrong port, it sends to connect-proxy-traccar port instead of webinterface port like indicate in nomad job.

I need to add this tag to my nomad job:

"traefik.http.services.domain.loadbalancer.server.port=${NOMAD_HOST_PORT_webinterface}"

With this, traefik sends to right port, but new problem! :partying_face:

Backend is now en in https instead of http !

Capture d’écran 2021-10-30 à 19.49.52
Capture d’écran 2021-10-30 à 19.49.521930×898 105 KB

And I have beautiful Internal server error when I check in my browser.

Traefik job:

job "traefik.domain.tld" {
  region = "global"
  datacenters = ["dc1"]
  type = "service"
   update {
     max_parallel     = 1
     canary           = 1
     min_healthy_time = "10s"
     healthy_deadline = "5m"
     auto_revert      = true
     auto_promote     = true
     health_check     = "checks"
     stagger          = "30s"
   }
  group "traefik.domain.tld" {

    count = 1

    restart {
      attempts = 10
      interval = "5m"
      delay = "10s"
      mode = "delay"
    }

    ephemeral_disk {
        size = 300
        sticky = "true"
        migrate = true
    }

    network {
      port "traefik_ssl_ui" {
        to = 443
        static = 443
      }
      port "traefik_ui" {
        to = 80
        static = 80
      }
    }

    service {
      name = "traefik"
      port = "traefik_ssl_ui"
      tags = [
        "traefik.enable=true",
                "traefik.http.routers.traefikdomaintld.tls=true",
                "traefik.http.routers.traefikdomaintld.tls.certresolver=myresolver",
                "traefik.http.routers.traefikdomaintld.tls.options=mintls12@file",
                "traefik.http.routers.traefikdomaintld.entrypoints=https",
                "traefik.http.routers.traefikdomaintld.rule=Host(`traefik.domain.tld`)",

                "traefik.http.middlewares.traefikdomaintld.redirectscheme.scheme=https",
                "traefik.http.middlewares.traefikdomaintld.redirectscheme.permanent=true",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.customResponseHeaders.X-Robots-Tag=all",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=63072000",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.frameDeny=true",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.browserXssFilter=true",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.contentTypeNosniff=true",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.stsIncludeSubdomains=true",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.stsPreload=true",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.stsSeconds=31536000",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.forceSTSHeader=true",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.accessControlMaxAge=15552000",
                "traefik.http.middlewares.traefikdomaintld-headers.headers.customFrameOptionsValue=SAMEORIGIN",
                "traefik.http.middlewares.traefikdomaintld-basicauth.basicauth.users=xxx:xxx",
                "traefik.http.routers.traefikdomaintld.middlewares=traefikdomaintld-basicauth@consulcatalog,traefikdomaintld-headers@consulcatalog",

        "traefik.http.routers.traefikdomaintld.service=api@internal",
        "traefik.consulcatalog.connect=false"
      ]

      check {
        name     = "traefik"
        type     = "tcp"
        interval = "10s"
        timeout  = "2s"
      }
    }

    task "traefik" {

      driver = "docker"

      config {
        image = "traefik:latest"

        ports = ["traefik_ui", "traefik_ssl_ui"]
        volumes = [
          "local/traefik.toml:/etc/traefik/traefik.toml",
                    "local/traefik_tls.toml:/etc/traefik/traefik_tls.toml",
                    "/data/traefik.domain.tld/letsencrypt:/letsencrypt",
                    "/data/traefik.domain.tld/conf:/conf",
                    "/data/traefik.domain.tld/logs:/logs"
        ]

      }

      template {
        change_mode = "noop"
        destination = "local/traefik_tls.toml"
        data = <<EOH
[tls.options]
  [tls.options.mintls13]
    minVersion = "VersionTLS13"

  [tls.options.mintls12]
    minVersion = "VersionTLS12"
    cipherSuites = [
      # "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
      # "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_AES_256_GCM_SHA384",
      "TLS_CHACHA20_POLY1305_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      # "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      # "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
    ]
    curvePreferences = [
      "CurveP521",
      "CurveP384"
    ]
    sniStrict = true

EOH
      }

      template {
        change_mode = "noop"
        destination = "local/traefik.toml"
        data = <<EOH
[global]
  checkNewVersion = false
  sendAnonymousUsage = false

[entryPoints]
  [entryPoints.http]
    address = ":80"
    [entryPoints.http.http]
      [entryPoints.http.http.redirections]
        [entryPoints.http.http.redirections.entrypoint]
          to = "https"
          scheme = "https"
  [entryPoints.https]
    address = ":443"

[api]
  dashboard = true
  insecure  = true
#   debug = true

[metrics]
  [metrics.prometheus]
    buckets = [0.1,0.3,1.2,5.0]
    entryPoint = "https"

[log]
  # level = "warn"
  # level = "info"
  level = "debug"

[accessLog]
  filePath = "/logs/access.log"
  bufferingSize = 1000

[certificatesResolvers.myresolver.acme]
  email = "admin@quanticware.com"
  storage = "/letsencrypt/acme.json"
  [certificatesResolvers.myresolver.acme.httpChallenge]
    entryPoint = "http"

[providers.consulCatalog]
  prefix           = "traefik"
  exposedByDefault = false
  connectAware = true
  connectByDefault = true

  [providers.consulCatalog.endpoint]
    address = "172.17.0.1:8500"
    scheme  = "http"

  [providers.file]
    filename = "/etc/traefik/traefik_tls.toml"

EOH
      }

      resources {
        cpu    = 256
        memory = 256
      }
    }
  }
}

I see in somes theards consul native parameters and ACL, ok, but for my case, If I just want traefik sends web traffic to right port and with http scheme to avoid Internal Server Error

Thanks for your help! :sos: :pleading_face:

2

Hello @Fred-gb and thanks for your interest in Traefik,

Have you tried to set the following tag traefik.http.services.domain.loadbalancer.server.scheme=http?

Hope this helps!

3

Hello,

Thanks @kevinpollet for your answer.

Yes I tried. But doesn't work :sob:

This is what I tried as tags on my nomad job traccar app:

"traefik.enable=true",
"traefik.http.routers.domaintld.entrypoints=https",
"traefik.http.routers.domaintld.rule=Host(`domain.tld`)",
"traefik.http.routers.domaintld.tls=true",
"traefik.http.routers.domaintld.tls.certresolver=myresolver",
"traefik.http.routers.domaintld.tls.options=mintls12@file",
"traefik.http.services.domaintld.loadbalancer.server.port=${NOMAD_HOST_PORT_webinterface}",
"traefik.http.services.domaintld.loadbalancer.server.scheme=http"

As I said, doesn't work.

I'm lost. :sos:

Thanks

4

I checked the code and if the connect feature is enabled the scheme is forced to https (see traefik/config.go at v2.5 · traefik/traefik · GitHub).

Have you enabled the connect feature?

If that's the case I'm not sure to understand why the connection should be not secured?
Could you explain what you are trying to achieve?

5

Could you explain what you are trying to achieve?

a long time ago in a 'ansible' galaxy far far away

Simply, I would like to deploy an app like traccar in this case.

Traccar needs mariadb.

So I tried to used with Nomad + Consul, the consul connect system. It's work fine, Traccar connect to mariadb. :fireworks:

But I'm unable to access to web interface via https://... I've got Internal Server Error

This is due to backend switch to https instead http.

Since long time, when I deploy an simple app without external database with Nomad + Consul + Traefik, the backend is in http and all works fine. I can access to web interface.

But now I try to use consul connect to secure connection between app and database, Traefik, and I don't know why switch to https the backend, why?! I don't ask it for that.

You said is in code, ok, but for my case how I can avoid this behavior or, what I can do to prevent against Internal Server Error

My Traefik configuration for consul:

[providers.consulCatalog]
  prefix           = "traefik"
  exposedByDefault = false
  connectAware = true
  connectByDefault = true

  [providers.consulCatalog.endpoint]
    address = "172.17.0.1:8500"
    scheme  = "http"

Consul connect is enable on my server, I use it with success to link app > database.

In Traefik nomad job I tried:

      connect {
        native = true
      }

Tags for Traefik job:

"traefik.enable=true",
"traefik.http.routers.domaintld.tls=true",
"traefik.http.routers.domaintld.tls.certresolver=myresolver",
"traefik.http.routers.domaintld.tls.options=mintls12@file",
"traefik.http.routers.domaintld.entrypoints=https",
"traefik.http.routers.domaintld.rule=Host(`domain.tld`)",
"traefik.http.middlewares.domaintld.redirectscheme.scheme=https",
"traefik.http.middlewares.domaintld.redirectscheme.permanent=true",
"traefik.http.middlewares.domaintld-headers.headers.customResponseHeaders.X-Robots-Tag=all",
"traefik.http.middlewares.domaintld-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=63072000",
"traefik.http.middlewares.domaintld-headers.headers.frameDeny=true",
"traefik.http.middlewares.domaintld-headers.headers.browserXssFilter=true",
"traefik.http.middlewares.domaintld-headers.headers.contentTypeNosniff=true",
"traefik.http.middlewares.domaintld-headers.headers.stsIncludeSubdomains=true",
"traefik.http.middlewares.domaintld-headers.headers.stsPreload=true",
"traefik.http.middlewares.domaintld-headers.headers.stsSeconds=31536000",
"traefik.http.middlewares.domaintld-headers.headers.forceSTSHeader=true",
"traefik.http.middlewares.domaintld-headers.headers.accessControlMaxAge=15552000",
"traefik.http.middlewares.domaintld-headers.headers.customFrameOptionsValue=SAMEORIGIN",
"traefik.http.middlewares.domaintld-basicauth.basicauth.users=xxx:xxx",
"traefik.http.routers.domaintld.middlewares=domaintld-basicauth@consulcatalog,domaintld-headers@consulcatalog",
"traefik.http.routers.domaintld.service=api@internal"

Tags for traccar job:

"traefik.enable=true",
"traefik.http.routers.traccardomaintld.tls=true",
"traefik.http.routers.traccardomaintld.tls.certresolver=myresolver",
"traefik.http.routers.traccardomaintld.tls.options=mintls12@file",
"traefik.http.routers.traccardomaintld.entrypoints=https",
"traefik.http.routers.traccardomaintld.rule=Host(`traccar.domain.tld`)",
"traefik.http.middlewares.traccardomaintld.redirectscheme.scheme=https",
"traefik.http.middlewares.traccardomaintld.redirectscheme.permanent=true",
"traefik.http.middlewares.traccardomaintld-headers.headers.customResponseHeaders.X-Robots-Tag=all",
"traefik.http.middlewares.traccardomaintld-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=63072000",
"traefik.http.middlewares.traccardomaintld-headers.headers.frameDeny=true",
"traefik.http.middlewares.traccardomaintld-headers.headers.browserXssFilter=true",
"traefik.http.middlewares.traccardomaintld-headers.headers.contentTypeNosniff=true",
"traefik.http.middlewares.traccardomaintld-headers.headers.stsIncludeSubdomains=true",
"traefik.http.middlewares.traccardomaintld-headers.headers.stsPreload=true",
"traefik.http.middlewares.traccardomaintld-headers.headers.stsSeconds=31536000",
"traefik.http.middlewares.traccardomaintld-headers.headers.forceSTSHeader=true",
"traefik.http.middlewares.traccardomaintld-headers.headers.accessControlMaxAge=15552000",
"traefik.http.middlewares.traccardomaintld-headers.headers.customFrameOptionsValue=SAMEORIGIN",
"traefik.http.routers.traccardomaintld.middlewares=traccardomaintld-headers@consulcatalog"

All tags are retrieve in jinja template I used for ansible playbook, template I used since long time, for all my apps.

Hope it's understandable.

Help me! :dog:

6

As you are enabling the connectByDefault option, Traefik will secure every backend connection by default (which is ok as consul connect is used to secure the connection between each infrastructure resources).

If I understand correctly you are trying to expose the Traccar dashboard through Traefik. Therefore, Traccar seems to be not connect aware which is why the dashboard is exposed through http and not https and that's why it is not working.

Is it possible to configure Traccar to expose through https by using the consul connect certs?

If not, I would add the traefik.consulcatalog.connect=false (more details in the documentation) tag to the Traccar service to be able to serve it through http and secure the connection by default between Traefik and consul connect aware services.

7

Hello,

Yes, connectByDefaultis set to true. As you seen my configuration in my post above?

I try to add traefik.consulcatalog.connect=falseand is stranger! Because, I have now backend in http but no routers appears in traefik dashboard. And I have this error in logs:

time="2021-11-04T12:42:42Z" level=error msg="Router defined multiple times with different configurations in [traccar-traccar-nomad-task-c4f66b93-6640-56bd-afbc-adf61becd661-group-app-traccar-webinterface traccar-traccar-sidecar-proxy-nomad-task-c4f66b93-6640-56bd-afbc-adf61becd661-group-app-traccar-webinterface-sidecar-proxy]" providerName=consulcatalog routerName=domaintld

And Traccar not proposes to have https, It have to used reverseproxy for that.

8

That's because by default the sidecar proxy added inherit the tags from the parent service. As those tags contain the Traefik configuration the duplicated router error is raised (Connect - Sidecar Service Registration | Consul by HashiCorp).

Can you try to define an empty tags array in the sidecar_service configuration?

By the way, I'm thinking that maybe by adding the Traefik tags only to the sidecar proxy it could be possible to secure the connection between Traefik and Traccar.

9

I tried to add Tags "zob" to sidecar service, because empty tag is same as "null" and do nothing.
So with zob tag, nothing appears in traefik at all, but in logs:

time="2021-11-04T13:17:42Z" level=debug msg="Filtering disabled item" serviceName=traccar-sidecar-proxy providerName=consulcatalog
time="2021-11-04T13:17:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=consul
time="2021-11-04T13:17:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=database
time="2021-11-04T13:17:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=database-sidecar-proxy
time="2021-11-04T13:17:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=nomad-clients
time="2021-11-04T13:17:42Z" level=debug msg="Filtering disabled item" serviceName=nomad-servers providerName=consulcatalog

      "Services": [
        {
          "Name": "traccar",
          "TaskName": "",
          "PortLabel": "webinterface",
          "AddressMode": "auto",
          "EnableTagOverride": false,
          "Tags": [
            "traefik.enable=true",
            "traefik.http.routers.domaintld.tls=true",
            "traefik.http.routers.domaintld.tls.certresolver=myresolver",
            "traefik.http.routers.domaintld.tls.options=mintls12@file",
            "traefik.http.routers.domaintld.entrypoints=https",
            "traefik.http.routers.domaintld.rule=Host(`domain.tld`)",
            "traefik.http.middlewares.domaintld.redirectscheme.scheme=https",
            "traefik.http.middlewares.domaintld.redirectscheme.permanent=true",
            "traefik.http.middlewares.domaintld-headers.headers.customResponseHeaders.X-Robots-Tag=all",
            "traefik.http.middlewares.domaintld-headers.headers.customResponseHeaders.Strict-Transport-Security=max-age=63072000",
            "traefik.http.middlewares.domaintld-headers.headers.frameDeny=true",
            "traefik.http.middlewares.domaintld-headers.headers.browserXssFilter=true",
            "traefik.http.middlewares.domaintld-headers.headers.contentTypeNosniff=true",
            "traefik.http.middlewares.domaintld-headers.headers.stsIncludeSubdomains=true",
            "traefik.http.middlewares.domaintld-headers.headers.stsPreload=true",
            "traefik.http.middlewares.domaintld-headers.headers.stsSeconds=31536000",
            "traefik.http.middlewares.domaintld-headers.headers.forceSTSHeader=true",
            "traefik.http.middlewares.domaintld-headers.headers.accessControlMaxAge=15552000",
            "traefik.http.middlewares.domaintld-headers.headers.customFrameOptionsValue=SAMEORIGIN",
            "traefik.http.routers.domaintld.middlewares=domaintld-headers@consulcatalog"
          ],
          "CanaryTags": null,
          "Checks": null,
          "Connect": {
            "Native": false,
            "SidecarService": {
              "Tags": [
                "zob"
              ],
              "Port": "",
              "Proxy": {
                "LocalServiceAddress": "",
                "LocalServicePort": 0,
                "Upstreams": [
                  {
                    "DestinationName": "database",
                    "LocalBindPort": 3306,
                    "Datacenter": "",
                    "LocalBindAddress": "",
                    "MeshGateway": null
                  }
                ],
                "Expose": null,
                "Config": null
              },
              "DisableDefaultTCPCheck": false
            },
            "SidecarTask": null,
            "Gateway": null
          },
          "Meta": null,
          "CanaryMeta": null,
          "Namespace": "default",
          "OnUpdate": "require_healthy"
        }
10

In consul dashboard, traccar service appears, but only with tags assign to service.

All tags add to sidecar_service not appears in consul.

That is problematic that sidecar_proxy inherit tags of his parents. because in my case sidecar is used to communicate between traccar and it database, not for traefik.

11

Can you try to add the traefik.enable=false tag to the sidecar proxy to filter it?

12

Not working.

Added, now, no routers or services appears in traefik for traccar.

time="2021-11-04T14:10:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=nomad-clients
time="2021-11-04T14:10:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=nomad-servers
time="2021-11-04T14:10:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=traccar-sidecar-proxy
time="2021-11-04T14:10:42Z" level=debug msg="Filtering disabled item" serviceName=consul providerName=consulcatalog
time="2021-11-04T14:10:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=database
time="2021-11-04T14:10:42Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=database-sidecar-proxy
time="2021-11-04T14:10:42Z" level=debug msg="Filtering disabled item" serviceName=traccar-traccar-nomad-task-c4f66b93-6640-56bd-afbc-adf61becd661-group-app-traccar-webinterface-sidecar-proxy providerName=consulcatalog

I'm looking for skip security verification for traefik backend, maybe?

13

Those services are filtered because the exposedByDefault option is set to false and only the Traccar service as the traefik.enable tag set to true which looks good.

If no router is available in Traefik, I think that's because there is a configuration issue.

Could you paste the complete Traefik logs to check if an error is raised?

14

I have only this in loop in logs:

time="2021-11-04T14:30:27Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=database
time="2021-11-04T14:30:27Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=database-sidecar-proxy
time="2021-11-04T14:30:27Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=nomad-clients
time="2021-11-04T14:30:27Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=nomad-servers
time="2021-11-04T14:30:27Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=traccar-sidecar-proxy
time="2021-11-04T14:30:27Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=consul
time="2021-11-04T14:30:27Z" level=debug msg="Filtering disabled item" providerName=consulcatalog serviceName=traccar-traccar-nomad-task-c4f66b93-6640-56bd-afbc-adf61becd661-group-app-traccar-webinterface-sidecar-proxy
time="2021-11-04T14:30:27Z" level=debug msg="Configuration received from provider consulcatalog: {\"http\":{\"routers\":{\"traefikdomaintld\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"traefikdomaintld-basicauth@consulcatalog\",\"traefikdomaintld-headers@consulcatalog\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.traccar.domain.tld`)\",\"tls\":{\"options\":\"mintls12@file\",\"certResolver\":\"myresolver\"}}},\"services\":{\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"https://xxxx:443\"}],\"passHostHeader\":true,\"serversTransport\":\"tls-default-dc1-traefik\"}}},\"middlewares\":{\"traefikdomaintld\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}},\"traefikdomaintld-basicauth\":{\"basicAuth\":{\"users\":[\"xxxxx\"]}},\"traefikdomaintld-headers\":{\"headers\":{\"customResponseHeaders\":{\"Strict-Transport-Security\":\"max-age=63072000\",\"X-Robots-Tag\":\"all\"},\"accessControlMaxAge\":15552000,\"stsSeconds\":31536000,\"stsIncludeSubdomains\":true,\"stsPreload\":true,\"forceSTSHeader\":true,\"frameDeny\":true,\"customFrameOptionsValue\":\"SAMEORIGIN\",\"contentTypeNosniff\":true,\"browserXssFilter\":true}}},\"serversTransports\":{\"tls-default-dc1-traefik\":{\"serverName\":\"default-dc1-traefik\",\"insecureSkipVerify\":true,\"peerCertURI\":\"spiffe:///ns/default/dc/dc1/svc/traefik\"}}},\"tcp\":{},\"udp\":{}}" providerName=consulcatalog
time="2021-11-04T14:30:27Z" level=info msg="Skipping same configuration" providerName=consulcatalog
15

So the traefikdomaintld router is well configured.

time="2021-11-04T14:30:27Z" level=debug msg="Configuration received from provider consulcatalog: {\"http\":{\"routers\":{\"traefikdomaintld\":{\"entryPoints\":[\"https\"],\"middlewares\":[\"traefikdomaintld-basicauth@consulcatalog\",\"traefikdomaintld-headers@consulcatalog\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.traccar.domain.tld`)\",\"tls\":{\"options\":\"mintls12@file\",\"certResolver\":\"myresolver\"}}},\"services\":{\"traefik\":{\"loadBalancer\":{\"servers\":[{\"url\":\"https://xxxx:443\"}],\"passHostHeader\":true,\"serversTransport\":\"tls-default-dc1-traefik\"}}},\"middlewares\":{\"traefikdomaintld\":{\"redirectScheme\":{\"scheme\":\"https\",\"permanent\":true}},\"traefikdomaintld-basicauth\":{\"basicAuth\":{\"users\":[\"xxxxx\"]}},\"traefikdomaintld-headers\":{\"headers\":{\"customResponseHeaders\":{\"Strict-Transport-Security\":\"max-age=63072000\",\"X-Robots-Tag\":\"all\"},\"accessControlMaxAge\":15552000,\"stsSeconds\":31536000,\"stsIncludeSubdomains\":true,\"stsPreload\":true,\"forceSTSHeader\":true,\"frameDeny\":true,\"customFrameOptionsValue\":\"SAMEORIGIN\",\"contentTypeNosniff\":true,\"browserXssFilter\":true}}},\"serversTransports\":{\"tls-default-dc1-traefik\":{\"serverName\":\"default-dc1-traefik\",\"insecureSkipVerify\":true,\"peerCertURI\":\"spiffe:///ns/default/dc/dc1/svc/traefik\"}}},\"tcp\":{},\"udp\":{}}" providerName=consulcatalog

But the scheme is still https, are you sure that the traefik.consulcatalog.connect=false tag is added to the Traccar service?

16

:partying_face: :raised_hands: :beers: :sun_with_face: :fireworks: :tada: :confetti_ball: :trophy:

Added this to traefik tags of traccar service:

"traefik.consulcatalog.connect=false",
"traefik.http.services.domaintld.loadbalancer.server.port=${NOMAD_HOST_PORT_webinterface}"

After lots of changes in tags, I forgot traefik.consulcatalog.connect=false as you said.

So in traefik dashboard, backend is now in http and I can access to web interface through traefik.
webinterface port I needed to force port by tag to avoid

So happy now. :star_struck:

But, do you think if exists solution to communicate traefik and backend in https without Internet Server Error? Just an idea, not necessary.

Thanks a lots @kevinpollet :hugs:

1 Like
17

I would check if it is possible to leverage the sidecar proxy to send https request to the Traccar dashboard as consul connect should allow to secure the connection without changing the app.

18

ok, thanks, hope it will be possible!

19

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.