Error 404 when accessing SSL container

Traefik Traefik v3 (latest)
,
1

I'm on a docker standalone instance.
I have a traefik stack with secured dashboard: http basic and custom certificates. It works fine.
The dashboard url is https://lb.localhost:8445/dashboard/

Here is my docker compose file for traefik stack:
version: '3'

services:
traefik:
image: traefik:v3.3.2
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
networks:
- plannings-net
- pgadmin-net
ports:
- "8445:8445"
- "8888:8888"
- "8443:8443"
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.rule=Host(lb.localhost) && (PathPrefix(/dashboard/)||PathPrefix(/api))"
- "traefik.http.routers.traefik.service=api@internal"
- "traefik.http.routers.traefik.entrypoints=traefik"
- "traefik.http.routers.traefik.tls=true"
- "traefik.http.middlewares.test-auth.basicauth.users=lolo:$$2y$$05$$zu27sQFPhA7WZGio8SsUfeMKIlCxVOUVrx59t9ZTTyfZLIvdLuVri,admin:$$2y$$05$$qwwv7sGClPNVhK7GAaSEbeTK8Q7v2QtxVwLAYnZ0tjyrcLuVEt4rO"
- "traefik.http.routers.traefik.middlewares=test-auth"
volumes:
- /var/run/docker.sock:/var/run/docker.sock
- '/volumes/traefik/traefik.yml:/etc/traefik/traefik.yml'
- '/volumes/traefik/tls.yml:/etc/traefik/tls.yml'
- '/volumes/traefik/certs:/certs'
networks:
plannings-net:
external : true
pgadmin-net:
external : true

Here is my traefik.yml

serverTransport:
insecureSkipVerify: true
log:
level: TRACE

api:
dashboard: true
insecure: false

providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
file:
filename: "/etc/traefik/tls.yml"

accessLog:
filePath: "/var/log/traefik.log"

entryPoints:
traefik:
address: ":8445"
springboot:
address: ":8443"
pgadmin:
address: ":8888"

And my tls.yml

tls:
certificates:

  • certFile: "/certs/traefik.crt"
    keyFile: "/certs/traefik.key"
    stores:
    • default

I want to add a docker stack wich is essentialy a spring boot container listening on port 8443 and serving https content? The associated certifcates are built-in in the container. So no need for traefik tls actions. I just want to forward the https trafic on port 8443 to the spring boot container.
The associated url will be https://planning.localhost:8443

Here is my docker compose file for this stack:

app-planning:
image: 'app-planning:1.48'
build:
context: .
container_name: app-planning
volumes:
- '/volumes/logs:/app/logs'
depends_on:
- db-planning
restart: always
# ports:

- "8443:8443"

expose:
  - "8443"  # Exposer le port 8443 pour que Traefik puisse y accéder
environment:
  - SPRING_DATASOURCE_URL=jdbc:postgresql://db-planning:5432/horaires
  - SPRING_DATASOURCE_USERNAME=ZEUZER
  - SPRING_DATASOURCE_PASSWORD=ZEPASSWD
networks:
 - plannings-net
labels:
 - "traefik.enable=true"
 - "traefik.http.routers.plannings.rule=Host(`planning.localhost`)"
 - "traefik.http.routers.plannings.entrypoints=springboot"
 - "traefik.http.routers.plannings.tls=false"
 - "traefik.http.services.plannings.loadbalancer.server.port=8443"
 - "traefik.http.services.plannings.loadbalancer.server.scheme=https"

When i try to access https://planning.localhost:8443 I got a 404 error and the certificate is wrong, this is a self signed certificate generated by Traefik

can you help me?

Thanks in advance.

2

If you want to proxy/forward TLS encrypted traffic without touching it, use a dedicated entrypoint with tcp router with .rule=HostSNI(`*`) and TCP service.

Do not activate or use any TLS options, as Traefik might create a custom TLS cert then.

3

Thnaks for your reply.

I replaced the labels by these lines:

    labels:
     - "traefik.enable=true"
      #     - "traefik.http.routers.plannings.rule=Host(`planning.localhost`)"
      #     - "traefik.http.routers.plannings.entrypoints=springboot"
      #     - "traefik.http.routers.plannings.tls=true"
      #     - "traefik.http.services.plannings.loadbalancer.server.port=8443"
      #     - "traefik.http.services.plannings.loadbalancer.server.scheme=https"
     - "traefik.tcp.routers.plannings.rule=HostSNI(`planning.localhost`)"
     - "traefik.tcp.routers.plannings.entrypoints=springboot"
     - "traefik.tcp.routers.plannings.tls=false"
     - "traefik.tcp.services.plannings.loadbalancer.server.port=8443"

And got this error in the traefik's log:

2025-02-05 10:00:14 2025-02-05T09:00:14Z ERR github.com/traefik/traefik/v3/pkg/server/router/tcp/manager.go:300 > error="invalid rule: "HostSNI(planning.localhost)" , has HostSNI matcher, but no TLS on router" entryPointName=springboot routerName=plannings@docker

If I comment this line:

     - "traefik.tcp.routers.plannings.tls=false"

Same error.

4

I replaced HostSNI(planning.localhost) by HostSNI(*) and it works now.

But how to route 2 domains on same entrypoint to 2 different SSL backed containers?

5

You can't have different target services on a single port, if Traefik has no access to the used TLS certs, as they are required to decrypt the request and the HostSNI.

6

Indeed, it's logical...

Thank you for your support.

7

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.