Info and installation improvement

I would like to ask some questions as I am experiencing several problems.

I currently have traefik installed with docker-compose and its static file traefik,yml where I set the automatic redirect from 80 to 443.

I have some services with their labels in the docker-compose, where I create http routers and they are handled quietly, the problem occurs when I create a tcp router to make sure that requests are forwarded to a container that has its own tls:


      - "traefik.enable=true"
      - "traefik.tcp.routers.fleetdm.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.fleetdm.entrypoints=websecure"
      - ""

i see a lot of tls handshake errors, also if i turn off some applications that have http router and Host=('') directive, the request is directed to the tcp router.

At this time I would like to ask how to:

  1. have all the http routers in tls
    I currently use:
      - "traefik.enable=true"
      - "traefik.http.routers.snipe-it.entrypoints=web,websecure"
      - "traefik.http.routers.snipe-it.rule=Host(``)"
      - ""
      - "traefik.http.routers.snipe-it.tls=true"
  1. making sure to turn the above tcp router into an http router by handling the tls, instead of having it handled by the container and allowing it to both reach the web interface and accept REST calls

  2. mislabeling the above tcp router put me all the other http routers in 404 page not found including the traefik dashboard, do i have a way to put all routers both http and tcp on one file instead of using labels within each container?, so that after each app is created it is seen by traefik automatically without having to restart traefik or the web app itself?

  3. How do I balance a mysql container and make sure that port 3306 is always exposed on 443?


What do you want to achieve? You want all TLS connections to go through port 443? You want Traefik to manage all TLS certs? Should the internal TCP forward then use the target cert?

Note the doc (link):

If both HTTP routers and TCP routers listen to the same entry points, the TCP routers will apply before the HTTP routers. If no matching route is found for the TCP routers, then the HTTP routers will take over.

Hi @bluepuma77 ,
I tried again today, but to no avail, my current configuration is

All web apps have the following labels in the docker-compose.yml

      - "traefik.enable=true"
      - "traefik.http.routers.portainer.entrypoints=web"
      - "traefik.http.routers.portainer.rule=Host(``)"
      - ""

also i have a web app called fleetdm which is used to manage all the company pc's, where they connect from outside through api and its web interface is reachable internally.

since that application, has its own certificate in addition to the one on the firewall, in order to use this application behind traefik, I had to insert the labels as follows after several tests:

      - "traefik.enable=true"
      - "traefik.tcp.routers.fleetdm.rule=HostSNI(`*`)"
      - "traefik.tcp.routers.fleetdm.entrypoints=websecure"
      - ""

only doing so, setting other tcp routers don't work and putting HostSNI(" I get the error "invalid rule: "HostSNI(" , has HostSNI matcher, but no TLS on router"

I tried to disable the redirect from 80 to 443 on the pfsense firewall, in order to manage it on the traefik and be able to have applications in 80 and applications in 443, it did not work, as when traefik does the redirect it does it on the public ip, instead of doing it internally, as follows but it does not work, as traefik, it does as per photo 1 instead of doing as per photo 2(required result)

incorrect proxy behavior:

desired behaviour:

also i have a traefik-dynamic.yml file that contains the router that redirects to the nas, if i try to add more router inside it sends me to 4040 page not found all applications including traefik gui

      rule: "Host(``)"
        - web
          #  - websecure
          #tls: {}
      service: qnap-nas
          - url: ""
        passHostHeader: true

so my problem lies in the fact that I can't handle applications with https traffic and not http traffic

can you help me to achieve what is specified below?
I have several unreachable applications for misconfigured labels

I want to have the following application scenarios:

scenario 1)
client => pfsense => https(443) => traefik => https(443) => web app

scenario 2)
client => pfsense => https(443) => traefik => http(80) => web app

scenario 3)
client => pfsense => http(80) => traefik => http(80) => web app

Should I go ahead with labels or dynamic files?

my traefik static conf:

  checkNewVersion: true
  sendAnonymousUsage: false  # true by default

# (Optional) Log information
# ---
  # Log level
  # Optional
  # Default: "ERROR"
  level: DEBUG

  # Sets the filepath for the traefik log. If not specified, stdout will be used.
  # Intermediate directories are created if necessary.
  # Optional
  # Default: os.Stdout
  format: json
  filePath: /var/log/traefik/traefik.log
# (Optional) Accesslog
# ---
   format: json  # common, json, logfmt
   filePath: /var/log/traefik/access.log

# (Optional) Enable API and Dashboard
# ---
  dashboard: true  # true by default
  insecure: false # Don't do this in production!
# Entry Points configuration
# ---
    address: :80
    # (Optional) Redirect to HTTPS
    # ---
    #  redirections:
    #    entryPoint:
    #      to: websecure

    address: :443

    #address: :3306
# Configure your CertificateResolver here...
# ---
#  staging:
#    acme:
#      email:
#      storage: /etc/traefik/certs/acme.json
#      caServer: ""
#            httpChallenge:
#        entryPoint: web
#  production:
#    acme:
#      email:
#      storage: /etc/traefik/certs/acme.json
#      caServer: ""
#      httpChallenge:
#        entryPoint: web

# (Optional) Overwrite Default Certificates
          certFile: /etc/traefik/certs/cert.pem
          keyFile: /etc/traefik/certs/cert-key.pem
        # caFile: /etc/traefik/certs/ca.pem
# (Optional) Disable TLS version 1.0 and 1.1
#  options:
#    default:
#      minVersion: VersionTLS12
#      cipherSuites:
#        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
#        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256

    exposedByDefault: false
    # watch for dynamic configuration changes
    directory: /etc/traefik
    watch: true

# Dynamic Configuration
      rule: Host(``) #&& (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
      service: api@internal
        - web
          #options: default
        - auth
        usersFile: "/etc/traefik/.htpasswd"

i have mu own certificate.

thanks very much

Any news @bluepuma77 ? Can you help me?

We have a managed LoadBalancer in front of Traefik, we just pass 80+443 straight through as TCP, no TLS certs involved.

Then we have a simple Traefik setup, with entrypoints for 80, redirecting to 443, and a LetsEncrypt TLS entrypoint on 443, which routers are using with Host().

By the way: the redirect is a response to the original request, telling the client to use a different scheme and port for the request.

so in my case how the labels should be, if my loadbalancer handles the tls and sends the request to traefik in 443 which in turn should contact the container in tls without having to handle it

This is not how it usually works. If LB is terminating TLS, then you would forward to Traefik port 80.

If you want TLS terminated requests being forwarded unencrypted from LB to Traefik port 443, then you should not enable any TLS on the port.

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.