Gitea loadbalancer service not found (Traefik v2.0)

Hi,

I'm hoping that someone can give me a hand with this. I am loving Traefik 2.0 but I cannot for the life of me get it working with Gitea. If anyone could lend me a helping hand it would be much appreciated. Without the load balancer configuration Traefik binds to port 22 as Gitea also exposes an SSH server.

My configuration is as follows:

version: "3"

services:
  reverse-proxy:
    image: traefik:v2.0
    container_name: traefik
    command: 
      - "--log.level=DEBUG"
      - "--api.insecure=true"
      - "--providers.docker"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - ./user_auth:/user_auth
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.api.rule=Host(`traefik.dev.net`)"
      - "traefik.http.routers.api.service=api@internal"
      - "traefik.http.routers.api.entrypoints=web"
      - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https"

  gitea:
    image: gitea/gitea:latest
    environment:
      - USER_UID=1000
      - USER_GID=1000
      - RUN_MODE=dev
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.gitea.rule=Host(`git.dev.net`)"
      - "traefik.http.routers.gitea.entrypoints=web"
      - "traefik.http.routers.gitea.service=gitea-service"
      - "traefik.http.routers.gitea-secure.rule=Host(`git.dev.net`)"
      - "traefik.http.routers.gitea-secure.entrypoints=websecure"
      - "traefik.http.routers.gitea-secure.service=gitea-service"
      - "traefik.http.services.gitea-service.loadbalancer.server.port=3000"
      - "traefik.http.services.gitea-service.loadbalancer.server.scheme=http"

I can access Gitea over http with "git.dev.net" however, when I access it over HTTPS I get a 404 error from Traefik.
The error message that comes up in the Traefik logs are this but I can't make any sense of them:

traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Configuration received from provider docker: {\"http\":{\"routers\":{\"api\":{\"entryPoints\":[\"web\"],\"service\":\"api@internal\",\"rule\":\"Host(`traefik.dev.net`)\"},\"gitea\":{\"entryPoints\":[\"web\"],\"service\":\"gitea-service\",\"rule\":\"Host(`git.dev.net`)\"},\"gitea-secure\":{\"entryPoints\":[\"websecure\"],\"service\":\"gitea-service\",\"rule\":\"Host(`git.dev.net`)\"}},\"middlewares\":{\"https-redirect\":{\"redirectScheme\":{\"scheme\":\"https\"}}},\"services\":{\"gitea-service\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.128.3:3000\"}],\"passHostHeader\":true}},\"reverse-proxy_traefik-tests\":{\"loadBalancer\":{\"servers\":[{\"url\":\"http://192.168.128.2:80\"}],\"passHostHeader\":true}}}},\"tcp\":{}}" providerName=docker
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Added outgoing tracing middleware api@internal" middlewareName=tracing middlewareType=TracingForwarder entryPointName=web routerName=api@docker
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Creating middleware" serviceName=gitea-service entryPointName=web routerName=gitea@docker middlewareName=pipelining middlewareType=Pipelining
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Creating load-balancer" serviceName=gitea-service entryPointName=web routerName=gitea@docker
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Creating server 0 http://192.168.128.3:3000" serverName=0 routerName=gitea@docker serviceName=gitea-service entryPointName=web
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Added outgoing tracing middleware gitea-service" entryPointName=web routerName=gitea@docker middlewareName=tracing middlewareType=TracingForwarder
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=web
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Creating middleware" middlewareName=pipelining middlewareType=Pipelining entryPointName=websecure routerName=gitea-secure@docker serviceName=gitea-service
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Creating load-balancer" entryPointName=websecure routerName=gitea-secure@docker serviceName=gitea-service
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Creating server 0 http://192.168.128.3:3000" entryPointName=websecure routerName=gitea-secure@docker serviceName=gitea-service serverName=0
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Added outgoing tracing middleware gitea-service" middlewareType=TracingForwarder routerName=gitea-secure@docker entryPointName=websecure middlewareName=tracing
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="Creating middleware" middlewareName=traefik-internal-recovery middlewareType=Recovery entryPointName=websecure
traefik          | time="2019-09-28T16:47:46Z" level=debug msg="No default certificate, generating one"
traefik          | time="2019-09-28T16:47:53Z" level=debug msg="Serving default certificate for request: \"git.dev.net\""
traefik          | time="2019-09-28T16:47:53Z" level=debug msg="http: TLS handshake error from 192.168.128.1:39340: remote error: tls: bad certificate"
traefik          | time="2019-09-28T16:48:43Z" level=debug msg="Serving default certificate for request: \"git.dev.net\""

Well, you are trying to make https request to http router, this is not gonna work.

I wonder if it makes sense for the traefik team to check the port number on router entrypoints and if a non-https http router had 443 anywhere in a entrypoint port number to spit a warning in the log? Would help people finding what they forgot to configure.

Hi,
My understanding was that the HTTPS connection was to Traefik and then Traefik forwards an HTTP request to Gitea? I have a similar setup for a wordpress site

wordpress:
  image: wordpress:latest
  container_name: wordpress
  depends_on:
    - wordpress-db
  environment:
    WORDPRESS_DB_HOST: wordpress-db:3306
    WORDPRESS_DB_USER: ${WORDPRESS_DB_USER}
    WORDPRESS_DB_PASSWORD: ${WORDPRESS_DB_PASSWORD}
    WORDPRESS_DB_NAME: wordpress
  volumes:
    - wordpress:/var/www/html
  labels:
    - "traefik.enable=true"
    - "traefik.http.routers.wordpress.rule=Host(`www.${DOMAIN}`) || Host(`${DOMAIN}`)"
    - "traefik.http.routers.wordpress.entrypoints=web"
    - "traefik.http.routers.wordpress.middlewares=https-redirect"
    - "traefik.http.routers.wordpress-secure.rule=Host(`www.${DOMAIN}`) || Host(`${DOMAIN}`)"
    - "traefik.http.routers.wordpress-secure.entrypoints=websecure"
    - "traefik.http.routers.wordpress-secure.tls.certresolver=myhttpchallenge"

This works fine and when you look at the service in the api dashboard the backed is listening on port 80 only. So I don't understand why this won't work with Gitea

That's right.

This is also right.

I'm guessing the crucial thing here to understand, is that 80 and 443 are just numbers, and it's just a convention, that 80 is for http and 443 is for https. Nothing prevents one to serve https on 80 or http on 443, and you are trying to do the latter.

So you need to tell traefik in your configuration your intention. Without that it would not know that you mean it to use https.

Try this without changing your configuration as presented in the OP: navigate to http://git.dev.net:443 - that should work.

Having understood that, change the router configuration from serving http to serving https and you are good to go.

I hope this clears it up.

Visiting http://git.dev.net:443 does indeed work!
I think I understand what you're saying so I will have a play. Thanks for the help

@zespri 's answer was too cryptic for my level of understanding!
@HelloWorld - any chance you could post your fixed config?

@marengaz if you did not understand a point or two, it's okay to ask to clarify. Is there anything in particular that did not make sense? Remember, we are talking not about your situation, we are discussing the specific config that was given in the OP.

hi @zespri - would you mind clarifying which label(s) in the config precisely causes http traffic to be served through port 443? also the amendment necessary to swap schemes to the conventional ports?
as far as i can see, this is analogous to the recommended config like in the blog?

@marengaz it goes like this:

• - "--entrypoints.websecure.address=:443" cause entry point websecure to be on port `443
• - "traefik.http.routers.gitea-secure.entrypoints=websecure" causes the router to use the websecure entrypoint
• When you do not specify any configuration to use TLS it does not use TLS, and none was specified for this router.

The end result is that the service is accessible on 443 (after applying specified routing rules) but it's http.

Pretty much. If you scroll down to "2 — Enabling Automatic Certificate Generation" section it will give you:

- "traefik.http.routers.my-app.tls.certresolver=le"
- "traefik.http.routers.my-app.entrypoints=websecure"`

Note, that we switched the context here, we are now talking about the blog post, not about the OP configuration. So the first line here makes the router TLS, because it now receives TLS configuration.