Internal server error when proxing to https with self-signed cert

svirus · July 3, 2021, 8:38pm

Hi,
I try to make proxy working from my traefik with docker and file dynamic configuration, and I have error when I try to proxy to htts (proxmox web interface on another host).
Error is 500 Internal server error.
I see that there is some packages recived by my promox web interface, but nothing more
I turned off my proxmox server and after this traefik show me "Bad gateway" so I think the configuration is working

My config:
rules.yml:
http:
routers:
pve1_krk_route:
rule: "Host(pve1.xxxx.pl)"
service: pve1_krk
entryPoints:
- websecure
tls:
certResolver: le

services:
pve1_krk:
loadBalancer:
servers:
- url: "https://192.168.0.61:8006"

traefik debug file:

time="2021-07-03T22:35:14+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: begin ServeHttp on request" Request="{"Method":"GET","URL":{"Scheme":"","Opaque":"","User":null,"Host":"","Path":"/","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"Proto":"HTTP/2.0","ProtoMajor":2,"ProtoMinor":0,"Header":{"Accept":["/"],"User-Agent":["curl/7.76.1"],"X-Forwarded-Host":["pve1.xxxx.pl"],"X-Forwarded-Port":["443"],"X-Forwarded-Proto":["https"],"X-Forwarded-Server":["35dce1d5c549"],"X-Real-Ip":["xxx.xxx.xxx.162"]},"ContentLength":0,"TransferEncoding":null,"Host":"pve1.xxxx.pl","Form":null,"PostForm":null,"MultipartForm":null,"Trailer":null,"RemoteAddr":"xxx.xxx.xxx.xxx:45574","RequestURI":"/","TLS":null}"
time="2021-07-03T22:35:14+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{"Method":"GET","URL":{"Scheme":"","Opaque":"","User":null,"Host":"","Path":"/","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"Proto":"HTTP/2.0","ProtoMajor":2,"ProtoMinor":0,"Header":{"Accept":["/"],"User-Agent":["curl/7.76.1"],"X-Forwarded-Host":["pve1.xxxxl.pl"],"X-Forwarded-Port":["443"],"X-Forwarded-Proto":["https"],"X-Forwarded-Server":["35dce1d5c549"],"X-Real-Ip":["83.19.215.162"]},"ContentLength":0,"TransferEncoding":null,"Host":"pve1.xxxx.pl","Form":null,"PostForm":null,"MultipartForm":null,"Trailer":null,"RemoteAddr":"xxx.xxx.xxx.xxx:45574","RequestURI":"/","TLS":null}" ForwardURL="https://192.168.99.61:8006"
time="2021-07-03T22:35:14+02:00" level=debug msg="vulcand/oxy/roundrobin/rr: completed ServeHttp on request" Request="{"Method":"GET","URL":{"Scheme":"","Opaque":"","User":null,"Host":"","Path":"/","RawPath":"","ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"Proto":"HTTP/2.0","ProtoMajor":2,"ProtoMinor":0,"Header":{"Accept":["/"],"User-Agent":["curl/7.76.1"],"X-Forwarded-Host":["pve1.xxxx.pl"],"X-Forwarded-Port":["443"],"X-Forwarded-Proto":["https"],"X-Forwarded-Server":["35dce1d5c549"],"X-Real-Ip":["xxx.xxx.xxx.xxx"]},"ContentLength":0,"TransferEncoding":null,"Host":"pve1.xxxx.pl","Form":null,"PostForm":null,"MultipartForm":null,"Trailer":null,"RemoteAddr":"xxx.xxx.xxx.xxx:45574","RequestURI":"/","TLS":null}"

daniel.tomcej · July 6, 2021, 10:31pm

Hello @svirus,

If you are going to be proxying to a server that uses a self-signed certificate, you will need to configure a serversTransport to tell Traefik how to handle the certificate. You may wish to have Traefik skip the validation and verification of the certficate (Services - Traefik) or you may want to provide Traefik with a root/intermediate certificate to verify with: (Services - Traefik).

This will allow Traefik to successfully connect to your TLS-enabled backends with self-signed certificates.

svirus · July 7, 2021, 7:49am

Thanks for replay
Last question...
I can't find in documentation how can I tell my service to use transport with insceureSkipVerify ?

Where I should it put ?

My configuration is:

http:
  routers:
    pve1_krk_route:
      rule: "Host(`pve1.xxxx.pl`)"
      service: pve1_krk
      entryPoints:
        - websecure
      tls:
        certResolver: le

  services:
    pve1_krk:
      loadBalancer:
        servers:
          - url: "https://192.168.0.1:8006"
  serversTransports:
    mytransport:
      insecureSkipVerify: true

daniel.tomcej · July 8, 2021, 8:12pm

Hello @svirus,

That looks good, now all you have to do is to tell Traefik to use the serversTransport on your service loadbalancer with the option: (Services - Traefik)

  services:
    pve1_krk:
      loadBalancer:
        serversTransport: mytransport
        servers:
          - url: "https://192.168.0.1:8006"

svirus · July 11, 2021, 2:12pm

works grate!
Thanks!

my full working config:

http:
  routers:
    pve1_krk_route:
      rule: "Host(`pve1.xxxx.pl`)"
      service: pve1_krk
      entryPoints:
        - websecure
      tls:
        certResolver: le

  services:
    pve1_krk:
      loadBalancer:
        serversTransport: insecureTransport
        servers:
          - url: "https://192.168.0.1:8006"

  serversTransports:
    insecureTransport:
      insecureSkipVerify: true

system · July 14, 2021, 2:12pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
SSL secured HTTPS can't be proxied, TLS secured HTTPS or HTTP works Traefik v2 (latest) file	4	493	July 6, 2023
Problem using ssl Backend with selfsigned certificates Traefik v2 (latest) docker	15	28033	May 1, 2020
[Solved] Reverse Proxy with https backend not working Traefik v1 file	10	8449	July 25, 2019
Traefik 2.9.x and Unifi-Controller as backend - internal server error 500 Traefik v2 (latest) docker	1	1064	April 24, 2023
Browser -> (https)traefik -> (https)service? Traefik v2 (latest) tcp	0	639	February 2, 2022

Internal server error when proxing to https with self-signed cert

Related Topics