When using basic-auth on a container, it authenticates as expected. However, even when successfully authenticating, it logs a
"GET /manifest.json HTTP/2.0" 401
In access.log. I am not sure why this happens, as the user successfully authenticates. The problem is fail2ban recognizes this as a 401 error. Therefore, it bans me when I successfully authenticate a few times. Here are the docker-compose of traefik and one of the offending containers.
#Traefik docker-compose
version: '3'
services:
traefik:
image: traefik:v2.4
container_name: traefik
restart: unless-stopped
security_opt:
- no-new-privileges:true
networks:
- t2_proxy
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- ./data/usersfile:/usersfile:ro
- ./data/traefik.yml:/traefik.yml:ro
- ./data/acme.json:/acme.json
- ./data/log:/var/log
labels:
- "traefik.enable=true"
- "traefik.http.routers.traefik.entrypoints=web"
- "traefik.http.routers.traefik.rule=Host(`domain.host.com`)"
- "traefik.http.middlewares.traefik-auth.basicauth.usersfile=usersfile"
- "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=websecure"
- "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
- "traefik.http.routers.traefik-secure.entrypoints=websecure"
- "traefik.http.routers.traefik-secure.rule=Host(`domain.host.com`)"
- "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
- "traefik.http.routers.traefik-secure.tls=true"
- "traefik.http.routers.traefik-secure.tls.certresolver=http"
- "traefik.http.routers.traefik-secure.service=api@internal"
networks:
t2_proxy:
external: true
#Traefik config traefik.yml
api:
dashboard: true
entryPoints:
web:
address: ":80"
websecure:
address: ":443"
providers:
docker:
endpoint: "unix:///var/run/docker.sock"
exposedByDefault: false
certificatesResolvers:
http:
acme:
email: e@mail.com
storage: acme.json
httpChallenge:
entrypoint: web
log:
filePath: "/var/log/traefik.log"
level: WARN
accessLog:
filePath: "var/log/access.log"
filters:
statusCodes:
- "400-499"
retryAttempts: true
Now one of the offending containers:
version: '3'
services:
filebot:
image: jlesage/filebot
container_name: filebot
restart: unless-stopped
environment:
- USER_ID=1000
- GROUP_ID=1003
security_opt:
- no-new-privileges:true
networks:
- t2_proxy
#ports:
#- "9000:9000"
volumes:
#- /etc/localtime:/etc/localtime:ro
- /home/example/docker/prod.traefik2.4/data/usersfile:/usersfile:ro
- ./config:/config:rw
- /mnt/ellison0/media:/storage/ellisonmedia:rw
- /mnt/herbert0/media:/storage/herbertmedia:rw
labels:
- "traefik.enable=true"
#web routers
- "traefik.http.routers.filebot.entrypoints=websecure"
- "traefik.http.routers.filebot.rule=Host(`example.com`) && PathPrefix(`/filebot{regex:$$|/.*}`)"
- "traefik.http.routers.filebot.service=filebot"
- "traefik.http.routers.filebot.tls=true"
- "traefik.http.routers.filebot.tls.certresolver=http"
#middlewares
#- "traefik.http.routers.filebot.middlewares=filebot-auth"
- "traefik.http.routers.filebot.middlewares=filebot-stripprefix,filebot-auth"
- "traefik.http.middlewares.filebot-stripprefix.stripprefix.prefixes=/filebot"
- "traefik.http.middlewares.filebot-stripprefix.stripprefix.forceSlash=false"
#authmiddleware
#- "traefik.http.routers.filebot.middlewares=filebot-auth"
- "traefik.http.middlewares.filebot-auth.basicauth.usersfile=usersfile"
#- "traefik.http.middlewares.filebot-auth.basicauth.removeheader=true"
#services
- "traefik.http.services.filebot.loadbalancer.server.port=5800"
networks:
t2_proxy:
external: true
Thank you for your attention and advice in advance.