HTTPS Working externally, but connection reset externally

Traefik Traefik v2
,
1

Hi

I have a running setup on Raspberry Pi 4 with traefik v2.0 and nextcloud. I also added everything for Let's Encrypt and It's running smooth from external networks. But as soon as I am connected to my local network (same as the RPI4) I can't connect anymore and I see in the docker logs (traefik) that there was a connection reset. I don't change anything but connect from an external network and after pressing F5 the page is loading fine.

My traefik.yml

api:
  dashboard: true
  insecure: true

# Writing Logs to a File, in JSON
log:
  level: DEBUG

entryPoints:
  http:
    address: ":80"
  https:
    address: ":443"
  traefik:
    address: ":8080"

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false

certificatesResolvers:
  http:
    acme:
      email: email@email.com
      storage: acme.json
      httpChallenge:
        entryPoint: http

My docker-compose.yml for traefik:

version: '2.0'

services:
  traefik:
    image: traefik:v2.0.4
    command:
     - --providers.docker
     - --api
    restart: unless-stopped
    ports:
     - 80:80
     - 443:443
     - 8080:8080
    networks:
     - web
    volumes:
     - /etc/localtime:/etc/localtime:ro
     - /var/run/docker.sock:/var/run/docker.sock:ro
     - /home/path/traefik/traefik.yml:/traefik.yml:ro
     - /home/path/traefik/acme.json:/acme.json
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.entrypoints=http"
      - "traefik.http.routers.traefik.rule=Host(`traefik.mydomain.dynu.net`)"
      - "traefik.http.routers.api.middlewares=auth"
      - "traefik.http.middlewares.traefik-auth.basicauth.users=user:$$password/"
      - "traefik.http.middlewares.traefik-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.traefik.middlewares=traefik-https-redirect"
      - "traefik.http.routers.traefik-secure.entrypoints=https"
      - "traefik.http.routers.traefik-secure.rule=Host(`traefik.mydomain.dynu.net`)"
      - "traefik.http.routers.traefik-secure.middlewares=traefik-auth"
      - "traefik.http.routers.traefik-secure.tls=true"
      - "traefik.http.routers.traefik-secure.tls.certresolver=http"
      - "traefik.http.routers.traefik-secure.service=api@internal"
      - "traefik.http.services.traefik.loadbalancer.server.port=8080"
 
    container_name: traefik

networks:
  web:
    external: true

My docker-compose.yml for nextcloud:
(I tried to enable every possible option in the headers with the testheader, but it didn't work.)

version: '2.2'
services:
  db:
    image: jsurf/rpi-mariadb
    restart: always
    environment:
      MYSQL_ROOT_PASSWORD: 'XXXX'
      MYSQL_DATABASE: 'XXXX'
      MYSQL_USER: 'XXXXX'
      MYSQL_PASSWORD: 'XXX'
    networks:
      - internal
    ports:
      - 3306:3306
    volumes:
      - /path/nextcloud/db:/var/lib/mysql
  nextcloud:
    image: nextcloud:17
    restart: always
    links:
      - db
    depends_on:
      - db
    volumes:
      - /path/nextcloud/data:/var/www/html
      - /path:/var/www/html/data
    networks:
      - internal
      - web
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.nextcloud.entrypoints=http"
      - "traefik.http.routers.nextcloud.rule=Host(`nextcloud.mydomain.dynu.net`)"
      - "traefik.http.middlewares.nextcloud-https-redirect.redirectscheme.scheme=https"
      - "traefik.http.routers.nextcloud.middlewares=nextcloud-https-redirect"
      - "traefik.http.routers.nextcloud-secure.entrypoints=https"
      - "traefik.http.routers.nextcloud-secure.rule=Host(`nextcloud.mydomain.dynu.net`)"
      - "traefik.http.routers.nextcloud-secure.tls=true"
      - "traefik.http.routers.nextcloud-secure.tls.certresolver=http"
      - "traefik.http.routers.nextcloud-secure.service=nextcloud"
      - "traefik.http.services.nextcloud.loadbalancer.server.port=80"
      - "traefik.docker.network=web"
      - "traefik.http.middlewares.testHeader.headers.sslredirect=true"
      - "traefik.http.middlewares.testheader.headers.accesscontrolallowmethods=GET,OPTIONS,PUT,POST"
      - "traefik.http.middlewares.testheader.headers.accesscontrolalloworigin=*"
      - "traefik.http.middlewares.testheader.headers.accesscontrolmaxage=100"
      - "traefik.http.middlewares.testheader.headers.addvaryheader=true"
      - "traefik.http.middlewares.testheader.headers.allowedHosts=(`nextcloud.mydomain.dynu.net`)"
      - "traefik.http.middlewares.testheader.headers.sslRedirect=true"
      - "traefik.http.middlewares.testheader.headers.forceSTSHeader=true"
      - "traefik.http.middlewares.testheader.headers.frameDeny=true"
      - "traefik.http.middlewares.testheader.headers.stsIncludeSubdomains=true"
      - "traefik.http.middlewares.testheader.headers.sslForceHost=true"
      - "traefik.http.middlewares.testheader.headers.stsPreload=true"
      - "traefik.http.middlewares.testheader.headers.contentTypeNosniff=true"
      - "traefik.http.middlewares.testheader.headers.browserXssFilter=true"
      - "traefik.http.routers.nextcloud-secure.middlewares=testHeader"

networks:
  web:
    external: true
  internal:
    external: false

Could someone tell me what I should try else? I really don't figure out what to do...
Thank you in advance!

2

Sounds like you have some networking issues, with your external and local networks. You should look into your network topology.

3

Well, my network topology is pretty simple. I only have one (totally commercial) router which is connected to my ISP and does all the port-forwarding, DNS and DHCP service.
It looks like when I am in my internal network and I try to connect to e.g. my nextcloud service through the public domain nextcloud.mydomain.dynu.net, my device realises that the endpoint of this communication is in the same network and then it starts the communication directly to the local IP (e.g. 192.168.X.X). I think this is not supposed to be like that, the TLS handshake (with the public domain) fails and the peer resets the connection.

I have actually the exact same problem like this guy here, but nobody answered him :slight_smile:. Happy to hear from you!

4

If at my home, I'll type my external IP (or a dns that resolves to it) to my browser address bar it will NOT land the call back at my machine - ( this is without using traefik at all) . This is how routing on the ISP is set up and I can do nothing about that. It just does not loop back. You may be in the same situation. You will have to use internal IPs when accessing from internal, if routing is not set up correctly to loop back.