HTTPS passthrough from Traefik to Caddy

4r7if3x · July 1, 2024, 6:19am

I have a host docker machine that runs several WordPress websites on FrankenPHP containers that run on top of the Caddy web server which handles its own SSL. To avoid port conflict, I've utilized Traefik as a reverse proxy. The problem is that my website keeps loading until it gives me PR_END_OF_FILE_ERROR.

services:
  proxy:
    image: "traefik:latest"
    container_name: proxy
    command:
      - "--api.insecure=false"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock:ro"
    ports:
      - "80:80"
      - "443:443"
    networks:
      - proxy
    restart: unless-stopped

networks:
  proxy:
    name: proxy
    driver: bridge

services:
...

  website:
    depends_on:
      - database
    build:
      context: .
      target: runner
      args:
        ...
    environment:
      SERVER_NAME: "${APP_DOMAIN:-localhost}"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.${APP_NAME}.rule=Host(`${APP_DOMAIN}`)"
      - "traefik.http.routers.${APP_NAME}.entrypoints=web"
      - "traefik.http.services.${APP_NAME}.loadbalancer.server.port=80"
      - "traefik.tcp.routers.${APP_NAME}-secure.rule=HostSNI(`${APP_DOMAIN}`)"
      - "traefik.tcp.routers.${APP_NAME}-secure.entrypoints=websecure"
      - "traefik.tcp.routers.${APP_NAME}-secure.tls.passthrough=true"
      - "traefik.tcp.services.${APP_NAME}-secure.loadbalancer.server.port=443"
    volumes:
      - "./data/caddy/data:/data"
      - "./data/caddy/config:/config"
    networks:
      - internal
      - proxy
    healthcheck:
      test: |
        curl --fail http://localhost || exit 1
      start_period: 60s
      interval: 60s
      timeout: 30s
      retries: 3
    restart: always

...

networks:
  internal:
    driver: bridge
  proxy:
    external: true

Here is the result of docker logs proxy:

...
ERR Error while dialing backend error="dial tcp 172.19.0.4:443: i/o timeout"

What am I doing wrong?

bluepuma77 · July 1, 2024, 9:01am

Make sure to set docker.network when having multiple networks on target service, which are not all used by Traefik. Traefik will forward requests to any IP it finds on the target service container, it doesn't check if it is connected to the required Docker network.

Are you creating separate TLS certs for Traefik and target service? For HostSNI() to work, Traefik needs access to the TLS cert files. Is that the case?

bluepuma77 · July 1, 2024, 10:16am

Set docker.network globally on provider or in target service labels (doc).

When Traefik has no TLS certs, you can not do any routing based on domain, you can only use HostSNI(`*`). For routing to different services you would need to use different ports.

For plain Traefik TCP pass-through, do not activate any TLS, simply use:

      - traefik.tcp.routers.${APP_NAME}-secure.entrypoints=websecure
      - traefik.tcp.routers.${APP_NAME}-secure.rule=HostSNI(`*`)
      - traefik.tcp.services.${APP_NAME}-secure.loadbalancer.server.port=443
      - traefik.docker.network=proxy

Topic		Replies	Views
Help with https redirection and infinite loop Traefik v2 docker , middleware	3	2451	January 26, 2023
Solved: Clarity on traefik http reverse proxy with pfsense DNS resolver subdomain entries. The proxy for the external server (different docker VM to the traefik docker VM) works on port 80 but not on another port used by wordpress. Nice diagram included Traefik v2 docker	5	1631	November 21, 2023
Traefik as proxy and TLS terminator: NoGo with Wordpress - Go with WhoamI Traefik v2 docker	3	2597	December 2, 2019
Bad Gateway for WordPress containers behind Traefik reverse proxy in docker-compose Traefik v2 docker	3	2059	September 27, 2022
Force https on traefik with docker-compose, mixed content Traefik v2 docker	6	5208	November 7, 2022

HTTPS passthrough from Traefik to Caddy

Related topics