Hello,
I'm trying to migrate my setup from Traefik 1.7 to 2.1 and I came across an issue regarding https backends.
In the following example I have 1 http backend (Traefik dashboard) and two https backends (Unifi-Controller and Heimdall). Traefik applies a wildcard certificate to all of there services and with the following configuration this all works fine.
stack.yaml
version: '3.7'
services:
traefik:
image: traefik:1.7
ports:
- "80:80"
- "443:443"
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- config:/etc/traefik/
configs:
- source: config
target: /etc/traefik/traefik.toml
secrets:
- source: wildcard.{{ host_domain }}.crt
target: /run/secrets/wildcard.{{ host_domain }}.crt
- source: wildcard.{{ host_domain }}.key
target: /run/secrets/wildcard.{{ host_domain }}.key
deploy:
labels:
- "traefik.enable=true"
- "traefik.port=8080"
- "traefik.frontend.rule=Host:traefik.{{ host_domain }}"
placement:
constraints:
- node.role == manager
unifi:
image: linuxserver/unifi-controller:LTS
ports:
- "2004:8080"
- "6789:6789"
- "3478:3478/udp"
- "10001:10001/udp"
networks:
- web
deploy:
labels:
- "traefik.enable=true"
- "traefik.port=8443"
- "traefik.protocol=https"
- "traefik.frontend.rule=Host:unifi.{{ host_domain }}"
heimdall:
image: linuxserver/heimdall:latest
networks:
- web
deploy:
labels:
- "traefik.enable=true"
- "traefik.port=443"
- "traefik.protocol=https"
- "traefik.frontend.rule=Host:heimdall.{{ host_domain }}"
networks:
web:
external: true
volumes:
config:
configs:
config:
file: ./traefik.toml
secrets:
wildcard.{{ host_domain }}.crt:
external: true
wildcard.{{ host_domain }}.key:
external: true
traefik.toml
debug = true
logLevel = "DEBUG"
defaultEntryPoints = ["http", "https"]
InsecureSkipVerify = true
[entryPoints]
[entryPoints.http]
address = ":80"
[entryPoints.http.redirect]
entryPoint = "https"
[entryPoints.https]
address = ":443"
[entryPoints.https.tls]
[entryPoints.https.tls.defaultCertificate]
certFile = "/run/secrets/wildcard.{{ host_domain }}.crt"
keyFile = "/run/secrets/wildcard.{{ host_domain }}.key"
[api]
[docker]
domain = "{{ host_domain }}"
swarmMode = true
swarmModeRefreshSeconds = 30
network = "web"
exposedByDefault = false
I've tried to replicate this setup with Traefik 2.1 and succeeded for the most part except for one service.
Heimdall in Chrome had multiple errors like this:
Mixed Content: The page at 'https://heimdall.server.lan/' was loaded over HTTPS, but requested an insecure favicon 'http://heimdall.server.lan/favicon-96x96.png'. This request has been blocked; the content must be served over HTTPS.
This while Unifi-Controller, also with a backend using https, is still working perfectly.
This is with the following configuration:
config_static.yaml
log:
level: DEBUG
api:
insecure: true
dashboard: true
debug: true
entryPoints:
http:
address: ":80"
https:
address: ":443"
serversTransport:
insecureSkipVerify: true
providers:
file:
directory: /etc/traefik
filename: dynamic.yaml
docker:
exposedByDefault: false
network: web
swarmMode: true
swarmModeRefreshSeconds: "30s"
config_dynamic.yaml
http:
routers:
http-catchall:
rule: HostRegexp(`{host:.+}`)
entryPoints: [http,https]
middlewares: [redirect-to-https]
service: https-redirect
priority: 1
tls: {}
services:
https-redirect:
loadBalancer:
servers:
- url: http://localhost/
middlewares:
redirect-to-https:
redirectScheme:
scheme: https
permanent: true
tls:
stores:
default:
defaultCertificate:
certFile: /run/secrets/wildcard.{{ host_domain }}.crt
keyFile: /run/secrets/wildcard.{{ host_domain }}.key
options:
default:
minVersion: VersionTLS13
stack.yaml
version: '3.7'
services:
traefik:
image: traefik:2.1
ports:
- "80:80"
- "443:443"
networks:
- web
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- config:/etc/traefik/
configs:
- source: static
target: /etc/traefik/traefik.yaml
- source: dynamic
target: /etc/traefik/dynamic.yaml
secrets:
- source: wildcard.{{ host_domain }}.crt
target: /run/secrets/wildcard.{{ host_domain }}.crt
- source: wildcard.{{ host_domain }}.key
target: /run/secrets/wildcard.{{ host_domain }}.key
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.services.traefik.loadbalancer.server.port=8080"
- "traefik.http.routers.traefik.rule=Host(`traefik.{{ host_domain }}`)"
- "traefik.http.routers.traefik.service=api@internal"
placement:
constraints:
- node.role == manager
unifi:
image: linuxserver/unifi-controller:LTS
ports:
- "2004:8080"
- "6789:6789"
- "3478:3478/udp"
- "10001:10001/udp"
networks:
- web
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.services.unifi.loadbalancer.server.port=8443"
- "traefik.http.services.unifi.loadbalancer.server.scheme=https"
- "traefik.http.routers.unifi.rule=Host(`unifi.{{ host_domain }}`)"
heimdall:
image: linuxserver/heimdall:latest
networks:
- web
deploy:
labels:
- "traefik.enable=true"
- "traefik.http.services.heimdall.loadbalancer.server.port=443"
- "traefik.http.services.heimdall.loadbalancer.server.scheme=https"
- "traefik.http.routers.heimdall.rule=Host(`heimdall.{{ host_domain }}`)"
networks:
web:
external: true
volumes:
config:
configs:
static:
file: ./config_static.yaml
dynamic:
file: ./config_dynamic.yaml
secrets:
wildcard.{{ host_domain }}.crt:
external: true
wildcard.{{ host_domain }}.key:
external: true
Does anyone know why I'm having this problem?
