KBst
October 23, 2019, 10:09am
#1
I am trying to setup Traefik as reverse proxy for an existing Apache server. This server is running on http: Port 50080 / https: Port 50443.
Traefik redirect example only uses a non TLS service. I.E.:
[http.routers]
[http.routers.apache0]
rule = "Host(`apache.paedml-test.de`)"
service = "apache-service"
entrypoints = ["web"]
middlewares = ["redirect"]
[http.routers.apache1]
rule = "Host(`apache.paedml-test.de`)"
service = "apache-service"
entrypoints = ["websecure"]
[http.routers.apache1.tls]
[http.services]
[http.services.apache-service.loadBalancer]
[[http.services.apache-service.loadBalancer.servers]]
url = "http://127.0.0.1:50080"
[http.middlewares]
[http.middlewares.redirect.redirectScheme]
scheme = "https"
This setup is running o.k. But If I try to substitute http by https
[http.services]
[http.services.apache-service.loadBalancer]
[[http.services.apache-service.loadBalancer.servers]]
url = "https://127.0.0.1:50443"
I get an error.
Whats wrong?
Hello @KBst ,
When you say:
KBst:
I get an error.
Can you elaborate? What kind of error? Where is it reported?
KBst
October 23, 2019, 6:58pm
#3
Sorry Daniel, of course this has been to short. Now this is was happens (all with Firefox 60.9.0esr)
from the traefik log
time="2019-10-23T20:51:46+02:00" level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for 127.0.0.1 because it doesn't contain any IP SANs"
So first question seams: How can I tell Traefik to ignore service certificate errors? I already have set
insecureSkipVerify = true
Hello @KBst ,
Can you please provide your traefik configuration?
KBst
October 23, 2019, 7:24pm
#5
daniel.tomcej
October 23
Hello @KBst ,
Can you please provide your traefik configuration?
[Bst] Hi Daniel I try to add the config to this mail. Hope this works.
Klaus
(Attachment traefik.zip is missing)
KBst
October 23, 2019, 7:33pm
#6
o.k. .zip isn't allowed.
traefik.toml
#Uncomment below if you selfsigned backends
insecureSkipVerify = true
[global]
checkNewVersion = true
sendAnonymousUsage = true
################################################################
# Entrypoints configuration
################################################################
[entryPoints]
[entryPoints.web]
address = ":80"
[entryPoints.websecure]
address = ":443"
[entryPoints.traefik]
address = ":8080"
[log]
level = "DEBUG"
filePath = "/var/log/traefik/traefik.log"
[accessLog]
filePath = "/var/log/traefik/access.log"
[api]
[ping]
# File configuration backend
################################################################
[providers]
[providers.file]
# directory =
filename = "./dynamic.toml"
watch = true
dynamic.toml
[http.routers]
[http.routers.apache0]
rule = "Host(`apache.paedml-test.de`)"
service = "apache-service"
entrypoints = ["web"]
middlewares = ["redirect"]
[http.routers.apache1]
rule = "Host(`apache.paedml-test.de`)"
service = "apache-service"
entrypoints = ["websecure"]
[http.routers.apache1.tls]
[http.services]
[http.services.apache-service.loadBalancer]
[[http.services.apache-service.loadBalancer.servers]]
url = "https://127.0.0.1:50443"
[http.middlewares]
[http.middlewares.redirect.redirectScheme]
scheme = "https"
KBst
October 23, 2019, 7:48pm
#7
I just found this "insecureSkipVerify: true not being applied (v2) ". Seems to be my problem, but I can't find the right solution for my case.
KBst
October 23, 2019, 7:55pm
#8
Solution:
Instead of
insecureSkipVerify = true
I have to set
[serversTransport]
insecureSkipVerify = true
Where to find this in the docs? ... not just mentioned but explained
Hi @KBst , not sure if it's something they added recently, but it is documented in the Routing overview:
https://docs.traefik.io/routing/overview/#insecureskipverify
Also, for v2 configurations, there can't be any keys at the "root level" of the toml, all of them must belong in what TOML calls "a table" (i.e. [something]
).
Regards!