Https requests not working for docker/nextcloud (plain http request sent to https port)

Cantello · November 7, 2019, 12:46pm

Dear all!

I am trying to secure my nextcloud installation (docker on Ubuntu 18.04 on ESXi 6.7) with traefik & letsencrypt. However, when I try to access the NC instance via https, my browser either redirects to https://_/ (Vivaldi) or gives an error ("The plain HTTP request was sent to HTTPS port", curl / Firefox).

The dashboard works via https as well as another simple whoami container. Only nextcloud does not work as expected and I am losing my mind over what I could have done wrong. So far I mostly followed guides & tutorials (starting with the excellent one on medium), modifying and adding where necessary. Maybe I have created an amalgamate of several configurations, which leads to the current problems but even restarting from scratch does not work anymore.

My config files:

docker-compose.yml

version: '3'

services:
  traefik:
    image: traefik:v2.0.4
    container_name: traefik
    restart: unless-stopped
    networks:
      - proxy
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /root/traefik/acme.json:/acme.json
      - /root/traefik/traefik.yml:/traefik.yml:ro
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.domain.net`)"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:pass"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.domain.net`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"

  whoami:
    image: "containous/whoami"
    container_name: "simple-whoami"
    networks:
      - proxy
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.domain.net`)"
      - "traefik.http.routers.whoami.entrypoints=https"
      - "traefik.http.routers.whoami.tls.certresolver=http"

  nextcloud:
    image: linuxserver/nextcloud
    container_name: "nextcloud"
    networks:
      - proxy
    environment:
      - PUID=1001
      - PGID=1001
      - TZ=Europe/Berlin
    volumes:
      - /home/dockeruser/nextcloud:/config
      - /home/dockeruser/nextcloud_data:/data
    restart: unless-stopped
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.domain.net`)"
      - "traefik.http.routers.nextcloud-secure.tls=true"
      - "traefik.http.routers.nextcloud-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-secure.service=nextcloud"

networks:
  proxy:
    external: true

traefik.yml

api:
  dashboard: true

log:
  level: DEBUG

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  http:
    acme:
      email: email@domain.net
      storage: acme.json
      httpChallenge:
        entryPoint: http

last part of docker-compose logs

traefik      | time="2019-11-07T12:30:39Z" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{\"M
ethod\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":
false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"*/*\"]
,\"User-Agent\":[\"curl/7.58.0\"],\"X-Forwarded-Host\":[\"nextcloud.domain.net\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-P
roto\":[\"https\"],\"X-Forwarded-Server\":[\"b3bbad79f113\"],\"X-Real-Ip\":[\"ip-address\"]},\"ContentLength\":0,\"TransferEncod
ing\":null,\"Host\":\"nextcloud.domain.net\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAdd
r\":\"ip-address:36902\",\"RequestURI\":\"/\",\"TLS\":null}"

Any ideas?
In case you were wondering why the traefik directory is under /root - I first tried /opt/traefik but somehow it did not recognize the docker-compose.yml there. A simple cp to /root was sufficient to make it run.

zespri · November 7, 2019, 10:10pm

Use the config files that you posted above. Discard all the experiments, that you've done after posting.

Add this to your traefik.yml:

serversTransport:
  insecureSkipVerify: true

Modify your docker-compose.yaml, so that NC section labels look like this:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.domain.net`)"
      - "traefik.http.routers.nextcloud-secure.tls=true"
      - "traefik.http.routers.nextcloud-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-secure.service=nextcloud"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=443"
      - "traefik.http.services.nextcloud.loadbalancer.server.scheme=https"

Cantello · November 8, 2019, 8:54am

This works, thanks!

The only modifications were the loadbalancer service and insecureSkipVerify, correct? Could you elaborate on why the SSL certificate should not be verified? I thought it was a regular, valid, letsencrypt-issued certificate. However, it works, so maybe I should not think too hard about it.

zespri · November 8, 2019, 9:38am

Yes

github.com/traefik/traefik

Docker swarm configuration ignored with "port is missing"

opened 09:36PM - 27 Oct 19 UTC

xsrf

area/documentation kind/bug/confirmed priority/P3 area/provider/docker/swarm

### Do you want to request a *feature* or report a *bug*?  Bug  ### What did you do? I tried to run traefik in a docker swarm and wanted to expose the dashboard as shown in the docs here: https://docs.traefik.io/operations/dashboard/#secure-mode ### What did you expect to see? The dashboard on `http://127.0.0.11/dashboard/` ### What did you see instead? A 404 from traefik ### Output of `traefik version`: (_What version of Traefik are you using?_)  ``` Version: 2.0.2 Codename: montdor Go version: go1.13.1 Built: 2019-10-09T19:26:05Z OS/Arch: linux/amd64 ``` ### What is your environment & configuration (arguments, toml, provider, platform, ...)? ```yml version: '3.7' services: traefik: image: traefik:latest ports: - 80:80 - 443:443 deploy: replicas: 1 placement: constraints: - node.role == manager labels: - traefik.enable=true - traefik.http.routers.traefik_http.rule=Host(`127.0.0.11`) - traefik.http.routers.traefik_http.service=api@internal - traefik.http.routers.traefik_http.entrypoints=http volumes: - /var/run/docker.sock:/var/run/docker.sock command: > --providers.docker --providers.docker.exposedbydefault=false --providers.docker.swarmmode=true --entryPoints.http.address=":80" --entryPoints.https.address=":443" --accesslog --log.level=INFO --api=true --api.dashboard=true ```  ### If applicable, please paste the log output in DEBUG level (`--log.level=DEBUG` switch) ``` level=error msg="port is missing" providerName=docker container=traefik-traefik-1jvz83nonxx53q9eel9r4cwlg ``` Traefik seems to ignore configurations of a docker service if they are missing a service definition setting a loadbalancer port. Since `api@internal` is an internal service which is already defined and has no port, I didn't define one. However, if I add a **dummy service** with a port, **the Dashboard works fine**: ```yml ... labels: - traefik.enable=true - traefik.http.services.dummyService.loadbalancer.server.port=1337 - traefik.http.routers.traefik_http.rule=Host(`127.0.0.11`) - traefik.http.routers.traefik_http.service=api@internal - traefik.http.routers.traefik_http.entrypoints=http ... ``` I did some more experiments: ```yml # Route and Services work fine: whoami: image: containous/whoami deploy: replicas: 2 labels: - traefik.enable=true - traefik.http.services.whoami.loadbalancer.server.port=80 - traefik.http.routers.whoami_http.rule=Host(`127.0.0.12`) - traefik.http.routers.whoami_http.service=whoami - traefik.http.routers.whoami_http.entrypoints=http # Route for whoami2 is ignored because of missing port: whoami2: image: containous/whoami deploy: replicas: 1 labels: - traefik.enable=true - traefik.http.routers.whoami2_http.rule=Host(`127.0.0.13`) - traefik.http.routers.whoami2_http.service=whoami - traefik.http.routers.whoami2_http.entrypoints=http # Route for whoami3 is ignored because of missing port: whoami3: image: containous/whoami deploy: replicas: 1 labels: - traefik.enable=true - traefik.http.routers.whoami3_http.rule=Host(`127.0.0.14`) # Route for whoami4 is parsed and served by whoami4: whoami4: image: containous/whoami deploy: replicas: 1 labels: - traefik.enable=true - traefik.http.services.whoami4.loadbalancer.server.port=80 - traefik.http.routers.whoami4_http.rule=Host(`127.0.0.15`) # Route for whoami5 is parsed and served by whoami: whoami5: image: containous/whoami deploy: replicas: 1 labels: - traefik.enable=true - traefik.http.services.whoami5.loadbalancer.server.port=1337 - traefik.http.routers.whoami5_http.rule=Host(`127.0.0.16`) - traefik.http.routers.whoami5_http.service=whoami ``` Errors here: ``` level=error msg="port is missing" providerName=docker container=traefik-whoami2-lvaeohb9ycx9g8vqs5bhhep5b level=error msg="port is missing" providerName=docker container=traefik-whoami3-mpr8w2rl8lx21b13vt3c3nm0e ``` It looks like traefik requires a `traefik.http.services.*.loadbalancer.server.port` label on every service, or it will discard the configuration. Name, existence and port of the service are completely irrelevant. Traefik should not require a loadbalancer port definition for each docker service, because a router can also reference an internal service or a service defined elsewhere and thus defining a service/loadbalancer is pointless.

Topic		Replies	Views
Specific container app that runs on https Traefik v2 (latest) docker , middleware	0	286	March 20, 2021
Cannot get http -> https redirect to work properly Traefik v2 (latest) docker , middleware	3	1678	December 12, 2019
Redirect http to https Traefik v2 (latest) docker	1	356	December 31, 2023
Traefik monitor to accept http and redirect to https? Traefik v2 (latest) docker , letsencrypt-acme	2	347	March 1, 2020
Http to https redirect - Again Traefik v2 (latest) docker	10	1471	February 24, 2020

Https requests not working for docker/nextcloud (plain http request sent to https port)

Related Topics