HTTPS from behind reverse proxy

My problem is that I have an IdentityServer4 instance that must be available in front of and behind my reverse proxy. So far it looks like everything is good in front but not behind.

I was having this problem in Apache httpd and a few people suggested that Traefik could be a better fit for what I am doing. I got Traefik set up easily but I am still having the same problems. When I attach a shell to userportalmvc and use curl, my calls to https://api.mydomain.com time out. I am not sure if this is an issue with the DNS or with the SSL certificate not showing the correct issuer.

I can get everything to work if I add ports to each call but this does not seem desireable because I would then need to open a new port for each new service and users would see the port number in their web browsers

I also tried to use a local address but the CA will not accept this because it expects the public facing ip address for my domain.

  • [ ] userportalmvc cannot consume from https://172:100:100:13:3333 (cert rejected)

Please let me know if there is some detail that I am missing or if my entire approach needs reconsidered. Any guidance will be appreciated.

Here is my docker-compose file:


version: '3.4'

services:

  traefik:

    image: "traefik:v2.2"

    command:

      - --entrypoints.web.address=:80

      - --entrypoints.web-secure.address=:443 #Declares the web-secure entrypoint in Traefik

      - --providers.docker=true

      - --providers.file.directory=/configuration/

      - --providers.file.watch=true

    ports:

      - "80:80"

      - "443:443"

    networks: 

      mmsbridge:

        ipv4_address: 172.100.100.10

    volumes:

      - sslskeys:/etc/ssls/

      - "/home/coder/traefik/configuration/:/configuration/"

      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  identityapi:

    image: identityapi

    build:

      context: api/.

      dockerfile: Dockerfile

    expose:

      - 5000

    networks: 

      mmsbridge:

        ipv4_address: 172.100.100.13

    environment:

      - ASPNETCORE_ENVIRONMENT=Development

      - ASPNETCORE_URLS=http://+:5000

    labels:

      - "traefik.http.routers.api.rule=Host(`api.mydomain.com`)"

      - "traefik.http.routers.api.tls=true"

      - "traefik.backend=primeapi"

  userportalmvc:

    image: userportalmvc

    build:

      context: userportalmvc/.

      dockerfile: Dockerfile

    expose:

      - 5000

    networks: 

      mmsbridge:

        ipv4_address: 172.100.100.14

    environment:

      - ASPNETCORE_ENVIRONMENT=Development

      - ASPNETCORE_URLS=http://+:5000

    labels:

      - "traefik.http.routers.portal.rule=Host(`portal.mydomain.com`)"

      - "traefik.http.routers.portal.tls=true"

      - "traefik.backend=userportalmvc"

volumes:

  sslskeys:

    external: true

networks:

  mmsbridge:

    external: true 

and here is /home/coder/traefik/configuration/traefik.TOML ...


[providers.docker]

[[tls.certificates]]

   certFile = "/etc/ssls/mydomain.com/cert.pem"

   keyFile = "/etc/ssls/mydomain.com/privkey.pem"

[[tls.certificates]]

   certFile = "/etc/ssls/identity.mydomain.com/cert.pem"

   keyFile = "/etc/ssls/identity.mydomain.com/privkey.pem"

[[tls.certificates]]

   certFile = "/etc/ssls/api.mydomain.com/cert.pem"

   keyFile = "/etc/ssls/api.mydomain.com/privkey.pem"

[[tls.certificates]]

   certFile = "/etc/ssls/portal.mydomain.com/cert.pem"

   keyFile = "/etc/ssls/portal.mydomain.com/privkey.pem"

1 Like

Solved!

I found that my problem had nothing to do with Traefik but was in my Docker network settings. By adding an "extra_hosts" option to the userportalmvc serivice, I was able to route calls back to Traefik at 172.100.100.10 and the CA cert gets terminated properly.

Here is my final compose file:

version: '3.4'

services:
  traefik:
    image: "traefik:v2.2"
    command:
      - --entrypoints.web.address=:80
      - --entrypoints.web-secure.address=:443
      - --providers.docker=true
      - --providers.file.directory=/configuration/
      - --providers.file.watch=true
    ports:
      - "80:80"
      - "443:443"
    networks: 
      mmsbridge:
        ipv4_address: 172.100.100.10
    volumes:
      - sslskeys:/etc/ssls/
      - "/home/coder/traefik/configuration/:/configuration/"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  identityapi:
    image: identityapi
    build:
      context: api/.
      dockerfile: Dockerfile
    expose:
      - 5000
    networks: 
      mmsbridge:
        ipv4_address: 172.100.100.13
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://+:5000
    labels:
      - "traefik.http.routers.api.rule=Host(`api.mydomain.com`)"
      - "traefik.http.routers.api.tls=true"

  userportalmvc:
    image: userportalmvc
    build:
      context: userportalmvc/.
      dockerfile: Dockerfile
    expose:
      - 5000
    networks: 
      mmsbridge:
        ipv4_address: 172.100.100.14
    extra_hosts:
      - api.mydomain.com:172.100.100.10
    environment:
      - ASPNETCORE_ENVIRONMENT=Development
      - ASPNETCORE_URLS=http://+:5000
    labels:
      - "traefik.http.routers.portal.rule=Host(`portal.mydomain.com`)"
      - "traefik.http.routers.portal.tls=true"

volumes:
  sslskeys:
    external: true

networks:
  mmsbridge:
    external: true 
1 Like