KBst
October 23, 2019, 10:09am
1
I am trying to setup Traefik as reverse proxy for an existing Apache server. This server is running on http: Port 50080 / https: Port 50443.
Traefik redirect example only uses a non TLS service. I.E.:
[http.routers]
[http.routers.apache0]
rule = "Host(`apache.paedml-test.de`)"
service = "apache-service"
entrypoints = ["web"]
middlewares = ["redirect"]
[http.routers.apache1]
rule = "Host(`apache.paedml-test.de`)"
service = "apache-service"
entrypoints = ["websecure"]
[http.routers.apache1.tls]
[http.services]
[http.services.apache-service.loadBalancer]
[[http.services.apache-service.loadBalancer.servers]]
url = "http://127.0.0.1:50080"
[http.middlewares]
[http.middlewares.redirect.redirectScheme]
scheme = "https"
This setup is running o.k. But If I try to substitute http by https
[http.services]
[http.services.apache-service.loadBalancer]
[[http.services.apache-service.loadBalancer.servers]]
url = "https://127.0.0.1:50443"
I get an error.
Whats wrong?
Hello @KBst ,
When you say:
KBst:
I get an error.
Can you elaborate? What kind of error? Where is it reported?
KBst
October 23, 2019, 6:58pm
3
daniel.tomcej:
Can you elaborate? What kind of error? Where is it reported?
Sorry Daniel, of course this has been to short. Now this is was happens (all with Firefox 60.9.0esr)
from the traefik log
time="2019-10-23T20:51:46+02:00" level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs"
So first question seams: How can I tell Traefik to ignore service certificate errors? I already have set
insecureSkipVerify = true
Hello @KBst ,
Can you please provide your traefik configuration?
KBst
October 23, 2019, 7:24pm
5
daniel.tomcej
Hello @KBst
Can you please provide your traefik configuration?
[Bst] Hi Daniel I try to add the config to this mail. Hope this works.
Klaus
(Attachment traefik.zip is missing)
KBst
October 23, 2019, 7:33pm
6
o.k. .zip isn't allowed.
traefik.toml
#Uncomment below if you selfsigned backends
insecureSkipVerify = true
[global]
checkNewVersion = true
sendAnonymousUsage = true
################################################################
# Entrypoints configuration
################################################################
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.traefik]
address = ":8080"
[log]
level = "DEBUG"
filePath = "/var/log/traefik/traefik.log"
[accessLog]
filePath = "/var/log/traefik/access.log"
[api]
[ping]
# File configuration backend
################################################################
[providers]
[providers.file]
# directory =
filename = "./dynamic.toml"
watch = true
dynamic.toml
[http.routers]
[http.routers.apache0]
rule = "Host(`apache.paedml-test.de`)"
service = "apache-service"
entrypoints = ["web"]
middlewares = ["redirect"]
[http.routers.apache1]
rule = "Host(`apache.paedml-test.de`)"
service = "apache-service"
entrypoints = ["websecure"]
[http.routers.apache1.tls]
[http.services]
[http.services.apache-service.loadBalancer]
[[http.services.apache-service.loadBalancer.servers]]
url = "https://127.0.0.1:50443"
[http.middlewares]
[http.middlewares.redirect.redirectScheme]
scheme = "https"
KBst
October 23, 2019, 7:48pm
7
I just found this "insecureSkipVerify: true not being applied (v2) ". Seems to be my problem, but I can't find the right solution for my case.
KBst
October 23, 2019, 7:55pm
8
Solution:
insecureSkipVerify = true
I have to set
[serversTransport]
insecureSkipVerify = true
Where to find this in the docs? ... not just mentioned but explained
Hi @KBst , not sure if it's something they added recently, but it is documented in the Routing overview:
https://docs.traefik.io/routing/overview/#insecureskipverify
Also, for v2 configurations, there can't be any keys at the "root level" of the toml, all of them must belong in what TOML calls "a table" (i.e. [something]).
Regards!
