Custom entrypoints not working

Traefik Traefik v2
, , ,
1

[This is the continual of my portainer edge agent issue, but since this has already looked like a brand new problem, I might just start it here instead]

I was trying to setup my portainer edge agent using my domain (portainer.local.example.com) by creating an entrypoint of port 8000 (the port required by edge agent) and then putting it in the domain's router.

The expected outcome would be:

portainer.local.example.com => portainerserverip:9443
portainer.local.example.com:8000 => portainerserverip:8000

However, it doesn't work and gave back the error:
*192.168.1.200 is NOT the portainer server ip but rather my Traefik instance's

2024/01/27 05:51:01 client: Connecting to ws://portainer.local.example.com:8000
2024/01/27 05:51:01 client: Connection error: dial tcp 192.168.1.200:8000: connect: connection refused
2024/01/27 05:51:01 client: Give up
  • Things I have already tried:

  • Spin up a test website to test the entrypoint, but when I go to portainer.local.example.com:1010 (which should have given me the website) it gave me this error:

    image
    image990×535 40.4 KB

  • Disabling every single headers individually and at the same time, doesn't work and still give same error

My hypothesis is that portainer is trying to connect with the Traefik server on port 8000 instead of the destionation which is the portainer server ip for some reason

  • Extra details:
  • traefik.yml:
api:
  dashboard: true
  debug: true
entryPoints:
  http:
    address: ":80"
    http:
      redirections:
        entryPoint:
          to: https
          scheme: https
  https:
    address: ":443"
  portainer_edge_agent:
    address: ":8000"
serversTransport:
  insecureSkipVerify: true
providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
  file:
    filename: /config.yml
certificatesResolvers:
  dynu:
    acme:
      email: example@gmail.com
      storage: acme.json
      dnsChallenge:
        provider: dynu
        # delayBeforeCheck: 60
        resolvers:
        - "1.1.1.1:53"
        - "8.8.8.8:53"
  • config.yml: (portainer part only):
http:
 #region routers 
  routers:      
    portainer:
      entryPoints:
        - "https"
      rule: "Host(`portainer.local.example.com`)"
      middlewares:
        - default-headers
        - https-redirectscheme
      tls: {}
      service: portainer

    portainer_edge_agent:
      entryPoints:
        - "portainer_edge_agent"
      rule: "Host(`portainer.local.example.com`)"
      middlewares:
        - default-headers
        # - https-redirectscheme
      tls: {}
      service: portainer_edge_agent


#endregion
#region services
  services:
    portainer:
      loadBalancer:
        servers:
          - url: "https://192.168.1.195:9443"
        passHostHeader: true

    portainer_edge_agent:
      loadBalancer:
        servers:
          - url: "http://192.168.1.195:8000"
        passHostHeader: false

#endregion
  middlewares:
    addprefix-pihole:
      addPrefix:
        prefix: "/admin"
    https-redirectscheme:
      redirectScheme:
        scheme: https
        permanent: true
    redirectregex-pihole:
      redirectRegex:
        regex: /admin/$
        replacement: /

    default-headers:
      headers:
        frameDeny: true
        browserXssFilter: true
        contentTypeNosniff: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    idrac:
      headers:
        frameDeny: true
        browserXssFilter: true
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsSeconds: 15552000
        customFrameOptionsValue: SAMEORIGIN
        customRequestHeaders:
          X-Forwarded-Proto: https

    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"
        - "172.17.0.0/12"
        

    secured:
      chain:
        middlewares:
        - default-whitelist
        - default-headers
2

You want to make the agent available through Traefik? Traefik running in Docker? Did you open the service/container port?

3

The answer is yes for all three of these. Well, for the third I don't need to open ports or anything because portainer edge agent will automatically open them, since when setting up using the IP you doesn't need to open ports. So it shouldn't matter if I use the correct IP

4

Did you open the Traefik container port 8000? Traefik entrypoint is not enough.

5

Ah, I didn't so I opened it but now it's giving me this error:

2024/01/29 15:45:02 client: Connecting to ws://portainer.local.example.com:8000
2024/01/29 15:45:02 client: Connection error: websocket: bad handshake
2024/01/29 15:45:02 client: Give up

I can already go to portainer.local.example.com:8000 and it's giving me the portainer panel instead of an error like previously

6

Bad handshake is probably something about TLS. You created a certresolver, but you only enabled custom TLS on the router.

I recommend to enable LE on websecure/https entrypoint directly to make it global for TLS.

Compare to simple Traefik example.

7

Can you give an example config of what it should be? I've read it a few time but still couldn't figure it out

8

This only enables custom loaded TLS certs

use this instead (doc):

      tls:
        certResolver: dynu
9

I updated the config but sadly it still gives me the same error:

2024/01/29 15:45:02 client: Connecting to ws://portainer.local.example.com:8000
2024/01/29 15:45:02 client: Connection error: websocket: bad handshake
2024/01/29 15:45:02 client: Give up