Issues with routers when making HTTPS requests to Traefik

Traefik Traefik v3 (latest)
,
1

Guys, I'm having some problems with routers when I make HTTPS request to Traefik. It looks like Traefik can't match the Host, but If I make requests using just HTTP, it works fine!

First of all my Traefik is behind an AWS Network Load Balancer, I'm using a network load balancer so that I can let Traefik handle the TLS certificates.

I have this domain "http://checkout.cloudfycheckout.com" that points to my Network Load Balancer. Note that this one is using only HTTP

I also have a domain called "https://pay.reactgratis.com" that also points to my Network Load Balancer. This domain, has a valid TLS certificate that was generated by Traefik using lets encrypt. Here's my static configuration

---Static configuration---

Screenshot 2024-11-16 at 11.08.42
Screenshot 2024-11-16 at 11.08.42829×270 30.8 KB

Here's my dynamic configuration

Screenshot 2024-11-16 at 11.12.55
Screenshot 2024-11-16 at 11.12.55641×698 41.3 KB

When I call like this "curl -H Host:pay.reactgratis.com http://checkout.cloudfycheckout.com", it works as expected, probably because I'm not using HTTPS.

But if I call like this "curl -H Host:pay.reactgratis.com https://pay.reactgratis.com", it returns me a 404 page not found.

2

Both domains point to your LB IP? Is the LB doing just TCP and forwards every request to Traefik?

Do you see both requests in the Traefik access log?

Maybe enable and check Traefik debug log, too.

3

Yes, they are both pointing to the same network LB, and the network LB is only doing TCP and forwarding the request to my Traefik instance.

Screenshot 2024-11-16 at 13.44.31
Screenshot 2024-11-16 at 13.44.311643×129 9.9 KB

The request made at 13:44, I did using HTTPS like this "curl -H Host:pay.reactgratis.com https://pay.reactgratis.com". This request didn't match any router as you can see the log.

Wheres the request made at 13:43 was made like this "curl -H Host:pay.reactgratis.com http://pay.reactgratis.com", and it worked as I expected.

As you can see the only difference is the protocol being used, one I used HTTP and the other HTTPS. I noticed that the HTTP version also changed from 1.1 to 2.0, correct me if I'm mistaken.

4

The different protocols go to different target services.

Enable Traefik access log in JSON format (doc) to see if 404 comes from target service ("OriginStatus") or only from Traefik itself ("DownstreamStatus").

5

Nice Puma! Here are the logs in JSON

HTTPS request

{
  "ClientAddr": "172.31.2.251:40965",
  "ClientHost": "172.31.2.251",
  "ClientPort": "40965",
  "ClientUsername": "-",
  "DownstreamContentSize": 19,
  "DownstreamStatus": 404,
  "Duration": 25507,
  "GzipRatio": 0,
  "OriginContentSize": 0,
  "OriginDuration": 0,
  "OriginStatus": 0,
  "Overhead": 25507,
  "RequestAddr": "pay.reactgratis.com",
  "RequestContentSize": 0,
  "RequestCount": 3,
  "RequestHost": "pay.reactgratis.com",
  "RequestMethod": "GET",
  "RequestPath": "/",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/2.0",
  "RequestScheme": "https",
  "RetryAttempts": 0,
  "StartLocal": "2024-11-16T18:56:43.787022633Z",
  "StartUTC": "2024-11-16T18:56:43.787022633Z",
  "TLSCipher": "TLS_CHACHA20_POLY1305_SHA256",
  "TLSVersion": "1.3",
  "entryPointName": "web",
  "level": "info",
  "msg": "",
  "time": "2024-11-16T18:56:43Z"
}

HTTP request

{
  "ClientAddr": "172.31.2.251:37633",
  "ClientHost": "172.31.2.251",
  "ClientPort": "37633",
  "ClientUsername": "-",
  "DownstreamContentSize": 61298,
  "DownstreamStatus": 200,
  "Duration": 69869992,
  "OriginContentSize": 61298,
  "OriginDuration": 69745600,
  "OriginStatus": 200,
  "Overhead": 124392,
  "RequestAddr": "pay.reactgratis.com",
  "RequestContentSize": 0,
  "RequestCount": 2,
  "RequestHost": "pay.reactgratis.com",
  "RequestMethod": "GET",
  "RequestPath": "/",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/1.1",
  "RequestScheme": "http",
  "RetryAttempts": 0,
  "RouterName": "index@http",
  "ServiceAddr": "www.debugbear.com",
  "ServiceName": "myService@http",
  "ServiceURL": "https://www.debugbear.com",
  "StartLocal": "2024-11-16T18:56:15.603732031Z",
  "StartUTC": "2024-11-16T18:56:15.603732031Z",
  "entryPointName": "web",
  "level": "info",
  "msg": "",
  "time": "2024-11-16T18:56:15Z"
}

shouldn't the field "entryPointName" have the value "web-secure" in the first log? If so, why isnt this "web-secure"? Maybe because of my LB? If it's because the LB I dont know what to do really, because I would need the Traefik to handle the TLS certificates because it is a requirement for my usecase. I tried using an Application LB, the problem was that ALB was the one handling the certificates.

6

For a pure TCP LB (ignoring TLS), you need to forward port 80->80 and 443->443. Works for us.

7

Guys: I was wrong with the solution below! What really worked for me was removing the property "entryPoint" entirely from by routers object! :pray:

Thank you so much for the support Puma, but I solved this problem changing the "entryPoint" in the dynamic configuration to ["web"] instead of ['websecure']. I think this is a workaround, but it seems to be working as I expect, it is even handling TLS properly!

Here's the example for anyone having this same problem

Screenshot 2024-11-16 at 20.42.49
Screenshot 2024-11-16 at 20.42.49545×211 11.9 KB

8

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.