Help with 404 error

sucre182 · February 15, 2024, 6:05pm

Having trouble with a 404 page not found error with traefik / docker, getting it with hostname and ip address (local & public). A & CNAME records configured in Cloudflare (currently grey mode). Port forwarding on router to server for 8008 (http) and 8443 (https) because 80 & 443 are already taken on network by other server.

Confirmed with cn -vz x.x.x.x port that ports are open and available:


Connection to 192.168.0.201 port 8443 [tcp/pcsync-https] succeeded!

Connection to 1.2.3.4 port 8443 [tcp/pcsync-https] succeeded!

Connection to traefik.domain.com port 8443 [tcp/pcsync-https] succeeded!

Not sure what I’m screwing up and where exactly, so hopefully my configs below will give more insights. Also adding pastebin for traefik.log here.

Hope someone can point me in the right direction? Thx!

docker-compose.yml

version: "3.9"

services:
  traefik:
    image: traefik:v2.10
    container_name: traefik
    restart: always
    networks:
      - proxy
    ports:
      - 8008:80
      - 8443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $DOCKERDIR/appdata/traefik/traefik.yml:/traefik.yml:ro
      - $DOCKERDIR/appdata/traefik/configs:/configs:ro
      - $DOCKERDIR/appdata/traefik/acme/acme.json:/acme.json:rw
      - $DOCKERDIR/appdata/traefik/logs:/logs:rw
    environment:
      - CF_DNS_API_TOKEN=${CLOUDFLARE_DNS_API}
      - TRAEFIKADMIN=${TRAEFIKADMIN}
    read_only: true
    security_opt:
      - no-new-privileges=true
    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik-https.entrypoints=https
      - traefik.http.routers.traefik-https.rule=Host(`traefik.domain.com`)
      - traefik.http.middlewares.traefik-auth.basicauth.users={$TRAEFIKADMIN}
      - traefik.http.routers.traefik-https.middlewares=traefik-auth
      - traefik.http.routers.traefik-https.service=api@internal
      - traefik.http.routers.traefik-https.tls.certresolver=letsencrypt
      - traefik.http.routers.traefik-https.tls.domains[0].main=domain.com
      - traefik.http.routers.traefik-https.tls.domains[0].sans=*.domain.com

networks:
  proxy:
    external: {}

traefik.yml

api:
 dashboard: true

entryPoints:
  http:
    address: ":80"
    forwardedHeaders:
      trustedIPs:
        - "127.0.0.1/32"
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"
  https:
    address: ":443"
    http:
      tls:
        certResolver: letsencrypt
    forwardedHeaders:
      trustedIPs:
        - "127.0.0.1/32"
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
    defaultRule: "Host(`{{ index .Labels \"com.docker.compose.service\”}}.domain.com`)"
    network: proxy
  file:
    directory: "/configs"
    watch: true

certificatesResolvers:
  http:
    acme:
      email: usr@domain.com
      storage: acme.json
      httpChallenge:
        entryPoint: http
  letsencrypt:
    acme:
      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
      email: usr@domain.com
      storage: acme.json
      dnsChallenge:
        provider: cloudflare
        resolvers:
          - "1.1.1.1:53"
          - "1.0.0.1:53"

serversTransport:
    insecureSkipVerify: false

accessLog:
  filePath: "/logs/access.log"
  fields:
    headers:
      names:
        User-Agent: keep

log:
  filePath: "/logs/traefik.log"
  level: DEBUG

middlewares.yml

http:
  middlewares:
    traefik-auth:
      basicAuth:
        users:
          - “usr:password”

tsl.yml

tls:
  options:
    default:
      minVersion: VersionTLS12
      cipherSuites:
       - "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256"
       - "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384"
       - "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305"
       - "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256"
       - "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
       - "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305"

.env

USERDIR="/home/usr”
DOCKERDIR="/home/usr/docker"
DATADIR="/mnt/storage"
#DOMAINNAME_CLOUD_SERVER=domain.com
#CLOUDFLARE_EMAIL=usr@domain.com
#CLOUDFLARE_API_KEY=@@@@@
CLOUDFLARE_DNS_API=@@@@@
#LOCAL_IPS=127.0.0.1/32,10.0.0.0/8,192.168.0.0/16,172.16.0.0/12
#CLOUDFLARE_IPS=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.>
TRAEFIKADMIN=usr:@@@@@

bluepuma77 · February 15, 2024, 10:13pm

How about you share which page (URL) you try to request?

sucre182 · February 16, 2024, 3:54pm

Sure, here you go: https://traefik.continental34.com:8443

Adding 8443 to avoid nginx that's running on 443 port other server.

bluepuma77 · February 16, 2024, 3:58pm

You are trying to reach the dashboard (doc)?

The dashboard is available at the same location as the API but on the path /dashboard/ by default.
The trailing slash / in /dashboard/ is mandatory

sucre182 · February 16, 2024, 4:53pm

Thx starting to get somewhere, I'm getting the sign in prompt. But my credentials don't seem to work:

time="2024-02-16T17:44:12+01:00" level=debug msg="Authentication failed" middlewareName=traefik-auth@docker middlewareType=BasicAuth

Using the credentials provided in middlewares.yml listed in original post above. Any idea what I'm screwing up?

bluepuma77 · February 16, 2024, 4:57pm

Check the BasicAuth middlewares doc:

Passwords must be hashed using MD5, SHA1, or BCrypt.

Tip: Use htpasswd to generate the passwords

sucre182 · February 16, 2024, 5:51pm

So I re-issued the password via htpasswd, but still bumping into same issue. Think I've located the problem. I've got the user:passwd set in middlewares.yml, but also calling $TRAEFIKADMIN from .env file (later slightly differs, using double $$ variables in password string of .env).

in labels docker-compose.yml I've got this:

      - traefik.http.middlewares.traefik-auth.basicauth.users={$TRAEFIKADMIN}
      - traefik.http.routers.traefik-https.middlewares=traefik-auth

What's the recommended way to fix this? Thx for your guidance @bluepuma77

bluepuma77 · February 16, 2024, 10:39pm

Test it step by step, place your username and hash directly in the compose file, without templating using vars.

sucre182 · February 18, 2024, 7:59pm

Hitting a wall here, tried all sort of variants. Got this now in label compose:

    labels:
      - traefik.enable=true
      - traefik.http.routers.traefik-https.entrypoints=https
      - traefik.http.routers.traefik-https.rule=Host(`traefik.continental34.com`)
      - traefik.http.routers.traefik-https.middlewares=traefik-auth
      - traefik.http.middlewares.traefik-auth.basicauth.users=usr:$$1234$$5678$$9123456789
      - traefik.http.routers.traefik-https.service=api@internal
      - traefik.http.routers.traefik-https.tls.certresolver=letsencrypt
      - traefik.http.routers.traefik-https.tls.domains[0].main=continental34.com
      - traefik.http.routers.traefik-https.tls.domains[0].sans=*.continental34.com

And in middlewares.yml:

http:
  middlewares:
    traefik-auth:
      basicAuth:
        users:
          - "usr:$1234$5678$9123456789"

Now I'm not even getting a login screen anymore, just goes straight to 404... Any clue?

bluepuma77 · February 18, 2024, 10:26pm

Did you try
https://traefik.continental34.com/dashboard/?

Why do you define the basicauth twice (in labels and dynamic config)?

Why do you define wildcards in the router for a single domain?

Why don’t you enable Traefik debug log (doc) to check what’s happening?

sucre182 · February 19, 2024, 11:37am

Removed the middlewares.yml and its working now in Chrome, thx @bluepuma77 solved the safari issue in meantime mentioned in original reply

Already had debug log enabled, now seeing a bunch of issues with cert & TLS, here's the pastebin.

Grabbed the wildcard part from another tutorial, no specific reason tbh. What do you recommend to do with those last two lines in label section? Remove wildcard and adjust into this?

- traefik.http.routers.traefik-https.tls.domains[0].main=traefik.continental34.com

sucre182 · February 19, 2024, 2:00pm

mmm still having trouble with the basic authentication. Apparently it's not picking up the authentication at all when I define it as following in docker config:

 - traefik.http.middlewares.traefik-auth.basicauth.users=usr:$$1234$$5678$$9123456789

When I re-add the label below the login request appears again, but the user and password defined in label above are not accepted (getting new login request each time).

- traefik.http.routers.traefik-https.middlewares=traefik-auth

Any suggestions?

bluepuma77 · February 19, 2024, 2:40pm

Here is a working configuration, take it from there: simple Traefik example.

sucre182 · February 20, 2024, 12:42pm

Ok so went back to basics and using the config from simple traefik example, see config below. Unfortunately still getting the same login loop issue. Here's the debug output of traefik.log.

Where to take it from here?

version: '3.9'

services:
  traefik:
    image: traefik:v3.0
    container_name: traefik
    restart: always
    ports:
      - 8008:80
      - 8443:443
    networks:
      - proxy
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - letsencrypt:/letsencrypt
      - ./appdata/traefik/logs:/logs
      - /etc/localtime:/etc/localtime:ro

    command:
      - --api.dashboard=true
      - --log.level=DEBUG
      - --log.filepath=/logs/traefik.log
      - --accesslog=true
      - --accesslog.filepath=/logs/access.log
      - --providers.docker.network=proxy
      - --providers.docker.exposedByDefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.web.http.redirections.entrypoint.to=websecure
      - --entryPoints.web.http.redirections.entrypoint.scheme=https
      - --entrypoints.websecure.address=:443
      - --entrypoints.websecure.asDefault=true
      - --entrypoints.websecure.http.tls.certresolver=letsencrypt
      - --certificatesresolvers.myresolver.acme.email=usr@continental34.com
      - --certificatesresolvers.myresolver.acme.tlschallenge=true
      - --certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json

    labels:
      - traefik.enable=true
      - traefik.http.routers.mydashboard.rule=Host(`traefik.continental34.com`)
      - traefik.http.routers.mydashboard.service=api@internal
      - traefik.http.routers.mydashboard.middlewares=myauth
      - traefik.http.middlewares.myauth.basicauth.users=usr:$$apr1$$2345$$6789

networks:
  proxy:
    name: proxy

volumes:
  letsencrypt:
    name: letsencrypt

sucre182 · April 11, 2024, 6:17am

The solution was simple. I was using the hash instead of the actual password, therefore the authentication failed

thx for your patience @bluepuma77

system · April 14, 2024, 6:17am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
404 page not found while reverse proxy to non Docker website Traefik v2 letsencrypt-acme , middleware	0	1188	December 20, 2020
404 page not found when connecting externally Traefik v2 docker , letsencrypt-acme	0	460	May 4, 2021
Get 404 page not found with Portainer behind Traefik Traefik v2 docker	3	3264	November 3, 2022
404 error with let's encrypt Traefik v2 docker-swarm , letsencrypt-acme , middleware	2	338	November 24, 2023
404 error when using local DNS Traefik v2 docker	2	1180	May 30, 2020

Help with 404 error

Related topics