I am currently experiencing a very specific issue with one of my services and Traefik. On my phone, every time I restart my browser and try to access my Nextcloud locally, I am getting an ERR_ECH_FALLBACK_CERTIFICATE_INVALID error. If I access any other service on the same host with a different subdomain and then go back to Nextcloud, it works again, but only until I restart the browser again. It doesn't seem to affect any of my other devices. Additionally, the access log or any other log doesn't actually show that my phone even attempts to connect. I also attached my traefik.yml, nextcloud.yaml and plugin configuration files here as well as my compose file, if it is a configuration issue.
compose.yaml
services:
traefik:
container_name: traefik
image: traefik:v3.1
# Enables the web UI and tells Traefik to listen to docker
ports:
# The HTTP port
- 192.168.178.70:80:80
- 192.168.178.70:443:443
restart: always
volumes:
# So that Traefik can listen to the Docker events
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./traefik.yml:/etc/traefik/traefik.yml:ro
- ./dynamic-conf:/etc/traefik/dynamic-conf
- ./certs:/certs
- traefik-logs:/var/log/traefik
- ./captcha.html:/captcha.html:ro
- ./ban.html:/ban.html
env_file: .env
environment:
- DUCKDNS_TOKEN=${DUCKDNS_TOKEN}
- CF_API_EMAIL=${CF_API_EMAIL}
- CF_DNS_API_TOKEN=${CF_DNS_API_TOKEN}
- TZ=Europe/Berlin
networks:
- proxy
extra_hosts:
- host.docker.internal:host-gateway
labels:
- diun.enable=true
- traefik.enable=true
- traefik.docker.network=proxy
- traefik.http.routers.traefik-dashboard.rule=Host(`traefik.<redacted>`)
- traefik.http.routers.traefik-dashboard.service=api@internal
- traefik.http.middlewares.traefik-auth.basicauth.users=${DASHBOARD_CREDENTIALS}
- traefik.http.routers.traefik-dashboard.middlewares=traefik-auth
networks:
proxy:
external: true
volumes:
traefik-logs: null
traefik.yml
api:
dashboard: true
certificatesResolvers:
letsencrypt:
acme:
email: <redacted>
# caServer: https://acme-staging-v02.api.letsencrypt.org/directory
storage: /certs/acme/alphacraft-cloudflare.json
dnschallenge:
provider: cloudflare
delayBeforeCheck: 60
# disablePropagationCheck: false
serversTransport:
insecureSkipVerify: true
entryPoints:
http:
# Listen on port 80 for incoming http requests
address: ":80"
http:
redirections:
entryPoint:
to: https
scheme: https
permanent: true
https:
# Listen on port 443 for incoming https requests
address: ":443"
AsDefault: true
http:
middlewares:
- cloudflarewarp@file
- crowdsec@file
encodeQuerySemicolons: true
tls:
certResolver: letsencrypt
domains:
- main: "<redacted>"
sans: "*.<redacted>"
http3:
advertisedPort: 443
forwardedHeaders:
trustedIPs:
- "192.168.178.1/24"
- "192.168.32.1/24"
- "172.26.0.2"
proxyProtocol:
trustedIPs:
- "192.168.178.1/24"
- "192.168.32.1/24"
providers:
file:
directory: /etc/traefik/dynamic-conf
watch: true
docker:
network: proxy
log:
level: "INFO"
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
experimental:
plugins:
bouncer:
moduleName: github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
version: v1.3.3
cloudflarewarp:
modulename: github.com/BetterCorp/cloudflarewarp
version: v1.3.3
nextcloud.yaml
http:
routers:
nextcloud:
rule: "Host(`<redacted>`)"
entrypoints:
- "https"
service: nextcloud
middlewares:
- nextcloud-chain
# tls: {}
# certresolver: "letsencrypt"
services:
nextcloud:
loadBalancer:
servers:
- url: "http://192.168.178.70:11000" # Use the host's IP address if Traefik runs outside the host network
middlewares:
nextcloud-secure-headers:
headers:
hostsProxyHeaders:
- "X-Forwarded-Host"
referrerPolicy: "same-origin"
# https-redirect:
# redirectscheme:
# scheme: https
nextcloud-chain:
chain:
middlewares:
# - ... (e.g. rate limiting middleware)
# - https-redirect
- nextcloud-secure-headers
crowdsec.yaml
http:
middlewares:
crowdsec:
plugin:
bouncer:
enabled: true
logLevel: INFO
# updateIntervalSeconds: 60
# updateMaxFailure: 0
defaultDecisionSeconds: 60
httpTimeoutSeconds: 10
crowdsecMode: live
crowdsecAppsecEnabled: true
crowdsecAppsecHost: crowdsec:7422
crowdsecAppsecFailureBlock: true
crowdsecAppsecUnreachableBlock: true
crowdsecLapiKey: <redacted>
# crowdsecLapiKeyFile: /etc/traefik/cs-privateKey-foo
crowdsecLapiHost: crowdsec:8080
crowdsecLapiScheme: http
# crowdsecLapiTLSInsecureVerify: false
# crowdsecCapiMachineId: login
# crowdsecCapiPassword: password
# crowdsecCapiScenarios:
# - crowdsecurity/http-path-traversal-probing
# - crowdsecurity/http-xss-probing
# - crowdsecurity/http-generic-bf
forwardedHeadersTrustedIPs:
- 10.0.10.23/32
- 10.0.20.0/24
- 192.168.178.1/24
- 192.168.32.1/24
clientTrustedIPs:
- 192.168.1.0/24
- 192.168.32.1/24
- 192.168.178.1/24
forwardedHeadersCustomName: X-Real-IP
redisCacheEnabled: false
captchaProvider: hcaptcha
captchaSiteKey: <redacted>
# captchaSecretKey: FIXME
captchaGracePeriodSeconds: 1800
captchaHTMLFilePath: /captcha.html
banHTMLFilePath: /ban.html
cloudflarewarp.yaml
http:
middlewares:
cloudflarewarp:
plugin:
cloudflarewarp:
disableDefault: true
trustip:
- 192.168.32.1/24
I hope that I haven't missed any important information and that someone is able to help me with the issue. I haven't been able to figure anything out, even after hours of research. Thanks for any help in advance!