Info and installation improvement

iali · October 28, 2023, 5:10pm

Hello,
I would like to ask some questions as I am experiencing several problems.

I currently have traefik installed with docker-compose and its static file traefik,yml where I set the automatic redirect from 80 to 443.

I have some services with their labels in the docker-compose, where I create http routers and they are handled quietly, the problem occurs when I create a tcp router to make sure that requests are forwarded to a container that has its own tls:

putting

    labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.fleetdm.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.fleetdm.entrypoints=websecure"
      - "traefik.tcp.services.fleetdm.loadbalancer.server.port=8080"

i see a lot of tls handshake errors, also if i turn off some applications that have http router and Host=('foobar.example.com') directive, the request is directed to the tcp router.

At this time I would like to ask how to:

have all the http routers in tls
I currently use:

    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.snipe-it.entrypoints=web,websecure"
      - "traefik.http.routers.snipe-it.rule=Host(`asset.company.it`)"
      - "traefik.http.services.snipe-it.loadbalancer.server.port=80"
      - "traefik.http.routers.snipe-it.tls=true"

making sure to turn the above tcp router into an http router by handling the tls, instead of having it handled by the container and allowing it to both reach the web interface and accept REST calls
mislabeling the above tcp router put me all the other http routers in 404 page not found including the traefik dashboard, do i have a way to put all routers both http and tcp on one file instead of using labels within each container?, so that after each app is created it is seen by traefik automatically without having to restart traefik or the web app itself?
How do I balance a mysql container and make sure that port 3306 is always exposed on 443?

Thanks

bluepuma77 · October 29, 2023, 9:32pm

What do you want to achieve? You want all TLS connections to go through port 443? You want Traefik to manage all TLS certs? Should the internal TCP forward then use the target cert?

Note the doc (link):

If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.

iali · November 2, 2023, 7:36pm

Hi @bluepuma77 ,
I tried again today, but to no avail, my current configuration is

All web apps have the following labels in the docker-compose.yml

labels:
      - "traefik.enable=true"
      - "traefik.http.routers.portainer.entrypoints=web"
      - "traefik.http.routers.portainer.rule=Host(`portainer.company.it`)"
      - "traefik.http.services.portainer.loadbalancer.server.port=9000"

also i have a web app called fleetdm which is used to manage all the company pc's, where they connect from outside through api and its web interface is reachable internally.

since that application, has its own certificate in addition to the one on the firewall, in order to use this application behind traefik, I had to insert the labels as follows after several tests:

labels:
      - "traefik.enable=true"
      - "traefik.tcp.routers.fleetdm.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.fleetdm.entrypoints=websecure"
      - "traefik.tcp.services.fleetdm.loadbalancer.server.port=8080"

only doing so, setting other tcp routers don't work and putting HostSNI(fleetdm.company.it)" I get the error "invalid rule: "HostSNI(fleetdm.company.it)" , has HostSNI matcher, but no TLS on router"

I tried to disable the redirect from 80 to 443 on the pfsense firewall, in order to manage it on the traefik and be able to have applications in 80 and applications in 443, it did not work, as when traefik does the redirect it does it on the public ip, instead of doing it internally, as follows but it does not work, as traefik, it does as per photo 1 instead of doing as per photo 2(required result)

incorrect proxy behavior:

desired behaviour:

also i have a traefik-dynamic.yml file that contains the router that redirects to the nas, if i try to add more router inside it sends me to 4040 page not found all applications including traefik gui

http:
  routers:
    qnap-nas:
      rule: "Host(`nas.company.it`)"
      entryPoints:
        - web
          #  - websecure
          #tls: {}
      service: qnap-nas
  services:
    qnap-nas:
      loadBalancer:
        servers:
          - url: "http://10.0.68.99:8080"
        passHostHeader: true

so my problem lies in the fact that I can't handle applications with https traffic and not http traffic

can you help me to achieve what is specified below?
I have several unreachable applications for misconfigured labels

I want to have the following application scenarios:

scenario 1)
client => pfsense => https(443) => traefik => https(443) => web app

scenario 2)
client => pfsense => https(443) => traefik => http(80) => web app

scenario 3)
client => pfsense => http(80) => traefik => http(80) => web app

Should I go ahead with labels or dynamic files?

my traefik static conf:

global:
  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

# (Optional) Log information
# ---
log:
  # Log level
  #
  # Optional
  # Default: "ERROR"
  #
  level: DEBUG

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  #
  # Optional
  # Default: os.Stdout
  #
  format: json
  filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
accesslog:
   format: json  # common, json, logfmt
   filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
api:
  dashboard: true  # true by default
  insecure: false # Don't do this in production!
# Entry Points configuration
# ---
entryPoints:
  web:
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    #http:
    #  redirections:
    #    entryPoint:
    #      to: websecure

  websecure:
    address: :443


    #mysql:
    #address: :3306
# Configure your CertificateResolver here...
# ---
#certificatesResolvers:
#  staging:
#    acme:
#      email: webmaster@example.it
#      storage: /etc/traefik/certs/acme.json
#      caServer: "https://acme-staging-v02.api.letsencrypt.org/directory"
#            httpChallenge:
#        entryPoint: web
#  production:
#    acme:
#      email: webmaster@example.it
#      storage: /etc/traefik/certs/acme.json
#      caServer: "https://acme-v02.api.letsencrypt.org/directory"
#      httpChallenge:
#        entryPoint: web

# (Optional) Overwrite Default Certificates
tls:
  stores:
    default:
       defaultCertificate:
          certFile: /etc/traefik/certs/cert.pem
          keyFile: /etc/traefik/certs/cert-key.pem
        # caFile: /etc/traefik/certs/ca.pem
# (Optional) Disable TLS version 1.0 and 1.1
#  options:
#    default:
#      minVersion: VersionTLS12
#      cipherSuites:
#        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
#        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
#        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
#        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

providers:
  docker:
    exposedByDefault: false
  file:
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true

# Dynamic Configuration
http:
  routers:
    dashboard:
      rule: Host(`rproxy.company.it`) #&& (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      service: api@internal
      entryPoints:
        - web
          #tls:
          #options: default
      middlewares:
        - auth
  middlewares:
    auth:
      basicAuth:
        usersFile: "/etc/traefik/.htpasswd"

i have mu own certificate.

thanks very much

iali · November 3, 2023, 6:41pm

Any news @bluepuma77 ? Can you help me?
Thanks

bluepuma77 · November 4, 2023, 10:01am

We have a managed LoadBalancer in front of Traefik, we just pass 80+443 straight through as TCP, no TLS certs involved.

Then we have a simple Traefik setup, with entrypoints for 80, redirecting to 443, and a LetsEncrypt TLS entrypoint on 443, which routers are using with Host().

By the way: the redirect is a response to the original request, telling the client to use a different scheme and port for the request.

iali · November 4, 2023, 2:18pm

so in my case how the labels should be, if my loadbalancer handles the tls and sends the request to traefik in 443 which in turn should contact the container in tls without having to handle it

bluepuma77 · November 5, 2023, 8:35am

This is not how it usually works. If LB is terminating TLS, then you would forward to Traefik port 80.

If you want TLS terminated requests being forwarded unencrypted from LB to Traefik port 443, then you should not enable any TLS on the port.

system · April 2, 2024, 11:06am

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Getting TCP routers to work with Traefik Traefik v2 (latest) docker-swarm , tcp	10	2303	September 9, 2019
TCP catch-all router issue Traefik v2 (latest) docker-swarm , tcp	12	2690	June 27, 2022
TCP and HTTP/s docker example Traefik v2 (latest) docker	0	3578	December 17, 2020
Traefik uses HTTP router instead of the TCP one Traefik v2 (latest) tcp	5	982	May 30, 2023
Traefik + Portainer Traefik v2 (latest) docker , tcp	3	1741	October 5, 2023

Info and installation improvement

Related Topics