LCX and Middleware Madness, Internal and External config not working

Traefik Traefik v3 (latest)
1

Hello everyone! I'm very new to traefik and I am still wrapping my head around what is going on here. I can't seem to get this configuration quite correct.

I have been following a guide from here to get this set up, but this only accepts one entry point However, I want ones for internal (80,443) and a separate one for external (81,444). Every time I adjust the settings I seem to get more and more lost.

My configuration is as follows:
[traefik.yaml]

global:
  checkNewVersion: true
  sendAnonymousUsage: true

providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true

entryPoints:
  http:
    address: ':80'
    http:
     middlewares:
       - internal-hosts-endorsed
  https:
    address: ':443'
    http:
     middlewares:
       - internal-hosts-endorsed

  external-http:
    address: ':81'
    http:
     middlewares:
       - external-hosts-endorsed

  external-https:
    address: ':444'
    http:
     middlewares:
       - external-hosts-endorsed

[hosts-https.yaml]

http:
 routers:
   hoarder:
     entryPoints:
       - "https"
     rule: "Host(`hoarder.mydomain.com`)"
     middlewares:
       - internal-https-hosts
       - external-https-hosts
     tls:
       certResolver: cloudflare
       domains:
         - main: "hoarder.mydomain.com"
     service: hoarder

 services:
   hoarder:
     loadBalancer:
       servers:
         - url: "http://192.168.X.X:3000"
       passHostHeader: true
       serversTransport: "hoarder"

 serversTransports:
   hoarder:
     insecureSkipVerify: true

[core.yaml]

http:
 routers:
   dashboard:
     rule: "Host(`traefik.mydomain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
     service: api@internal
     middlewares:
       - auth

   catchall:
     entryPoints:
       - "http"
       - "https"
     rule: "PathPrefix(`/`)"
     service: unavailable
     priority: 1

 services: 
   unavailable: 
     loadBalancer: 
       servers: {}

 middlewares:
   auth:
     basicAuth:
       users:  
         - "nat:$1RamdonChars"

   internal-hosts-endorsed:
     ipAllowList:
       sourceRange:
         - "192.168.0.0/16"
         - "127.0.0.1/16"

   external-hosts-endorsed:
     ipAllowList:
       sourceRange:
         - "0.0.0.0"

   http-only:
     redirectScheme:
       scheme: http
       permanent: true

   internal-http-hosts:
     chain:
       middlewares:
         - internal-hosts-endorsed
         - http-only

   external-http-hosts:
     chain:
       middlewares:
         - external-hosts-endorsed
         - http-only

   https-only:
     redirectScheme:
       scheme: https
       permanent: true

   internal-https-hosts:
     chain:
       middlewares:
         - internal-hosts-endorsed
         - https-only

   external-https-hosts:
     chain:
       middlewares:
         - external-hosts-endorsed
         - https-only

From what I can tell the issue is with the "external-hosts-endorsed" part of the config, but somehow this doesn't work at all any more.

When the Traefik dashboard does work it suggests there are no errors with that part of the config. <-- LOL

Any help on clarifying this would be grateful. So then I could put more of my hosts in my config, would be great!

2

I have made a few changes to the config. Now I can get the Internal to work fine, but the external access (81, 444) give me the response "Forbidden"

  hoarder:
     entryPoints:
       - "https"
     rule: "Host(`hoarder.mydomain.com`)"
     middlewares:
       - internal-https-hosts
     tls:
       certResolver: cloudflare
       domains:
         - main: "hoarder.mydomain.com"
     service: hoarder

   hoarder-external:
     entryPoints:
       - "external-https"
     rule: "Host(`hoarder.mydomain.com`)"
     middlewares:
       - external-https-hosts
     tls:
       certResolver: cloudflare
       domains:
         - main: "hoarder.mydomain.com"
     service: hoarder-external

   hoarder:
     loadBalancer:
       servers:
         - url: "http://192.168.X.X:3000"
       passHostHeader: true
       serversTransport: "hoarder"

   hoarder-external:
     loadBalancer:
       servers:
         - url: "http://192.168.X.X:3000"
       passHostHeader: true
       serversTransport: "hoarder-external"

   hoarder-external:
     insecureSkipVerify: true

[core.yaml] - snippets

   catchall:
     entryPoints:
       - "http"
       - "https"
       - "external-http"
       - "external-https"
     rule: "PathPrefix(`/`)"
     service: unavailable
     priority: 1
...
   internal-hosts-endorsed:
     ipAllowList:
       sourceRange:
         - "192.168.0.0/16"

   external-hosts-endorsed:
     ipAllowList:
       sourceRange:
         - "0.0.0.0"

Making progress, but not sure how I need to modify that ipAllowList to allow IPs from the external network to have access.

3

That’s not really a range, you probably need to add the / part:

You don’t need that, as Traefik LetsEncrypt will use the domain from .rule=Host():

4

I tried adding 0.0.0.0/8 but that didn't make any difference.. any suggesting as what I should make it?

5

Try 0.0.0.0/0 instead.

6

OK so there is a change now.... If I use port 444 internally, I get the website... if I turn off the internal network and use the external network (phone hotspot) I get the error "no available server"

7

I'm getting more and more lost, with each configuration change (very little and subtle) I keep getting dissimilar errors. Now I'm getting "Too many Redirect" error messages when I access the network from outside the LAN.

I can see pages on ports 80, 81,443 and 444 internally. I have ports 81 and 444 mapped to 80 and 443 in my router to go to the Traefik server. The port mapping seems fine as I see output from the proxy.

I've also tried to add the redirect from HTTP to HTTPS and that seems to have broken the dashboard now as I can only access that on 8080 now if I turn insecure on.

entryPoints:
  http:
    address: ':80'
    http:
     redirections:
        entryPoint:
          scheme: https
          to: https

and I tried adding SSL to the dashboard setup and that failed, or I didn't know what I was doing.

8

Perhaps I'm going down the wrong path altogether... So I will post my (Redacted) configuration and see if someone can show me a better way of doing what I'm doing.. I've got MANY more hosts I need to add as well

This is running on a Proxmox server under an LXC container, so I don't have the Docker environment variables like a lot of the other support requests. That is only adding to my confusion because I don't know how to translate everything very well.

Unifi Router has a NAT rule saying external incoming 80->81 Traefik server and 443->444 Traefik server.

Currently, the dashboard is running insecure as I can't seem to get it to work on port 443 internally.

[traefik.yaml]

global:
  checkNewVersion: true
  sendAnonymousUsage: true

api:
  dashboard: true
  insecure: true
  debug: false
  disableDashboardAd: true

providers:
  file:
    directory: /etc/traefik/dynamic
    watch: true

entryPoints:
  http:
    address: ':80'
    http:
     redirections:
        entryPoint:
          scheme: https
          to: https

  https:
    address: ':443'
    http:
     middlewares:
       - internal-hosts-endorsed

  external-http:
    address: ':81'
    http:
     middlewares:
       - external-hosts-endorsed

  external-https:
    address: ':444'
    http:
     middlewares:
       - external-hosts-endorsed


certificatesResolvers:
 cloudflare:
   acme:
     caServer: https://acme-v02.api.letsencrypt.org/directory
     email: me@mydomain.com
     storage: /etc/traefik/acme.json
     dnschallenge:
       provider: cloudflare
       resolvers:
         - "1.1.1.1:53"
         - "1.0.0.1:53"
         
log:
  filePath: /var/log/traefik/traefik.log
  format: json
  level: INFO
  maxAge: 48

accessLog:
  filePath: /var/log/traefik/traefik-access.log
  format: json
  filters:
    statusCodes:
      - "200"
      - "400-599"
    retryAttempts: true
    minDuration: "10ms"
  bufferingSize: 0
  fields:
    headers:
      defaultMode: drop
      names:
        User-Agent: keep

metrics:
  addInternals: true

[core.yaml]

http:
 routers:
   dashboard:
     rule: "Host(`traefik.mydomain.com`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))"
     service: api@internal
     middlewares:
       - auth

   catchall:
     entryPoints:
       - "http"
       - "https"
       - "external-http"
       - "external-https"
     rule: "PathPrefix(`/`)"
     service: unavailable
     priority: 1

 services: 
   unavailable: 
     loadBalancer: 
       servers: {}

 middlewares:
   auth:
     basicAuth:
       users:  
         - "nat:SoM3R@nd0mCH@r@cter3"

   internal-hosts-endorsed:
     ipAllowList:
       sourceRange:
         - "192.168.0.0/16"

   external-hosts-endorsed:
     ipAllowList:
       sourceRange:
         - "0.0.0.0/0"

   http-only:
     redirectScheme:
       scheme: http
       permanent: true

   internal-http-hosts:
     chain:
       middlewares:
         - internal-hosts-endorsed
         - http-only

   external-http-hosts:
     chain:
       middlewares:
         - external-hosts-endorsed
         - http-only

   https-only:
     redirectScheme:
       scheme: https
       permanent: true

   internal-https-hosts:
     chain:
       middlewares:
         - internal-hosts-endorsed
         - https-only

   external-https-hosts:
     chain:
       middlewares:
         - external-hosts-endorsed
         - https-only
         
tls:
 options:
   default:
     minVersion: VersionTLS13    # change to a lower version if you expect to service Internet traffic from around the world
     curvePreferences:   # below priority sequence can be changed
       - X25519     # the most commonly used 128-bit
       - CurveP256  # the next most commonly used 128-bit
       - CurveP384  # 192-bit
       - CurveP521  # 256-bit
     sniStrict: true 
 stores:
   default:
     defaultGeneratedCert:
       resolver: cloudflare
       domain:
         main: mydomain.com
         sans:
           - "*.mydomain.com"

[hosts-https.yaml]

http:
 routers:
# Internal Services
   homeassistant:
     entryPoints:
       - "https"
     rule: "Host(`ha.mydomain.com`)"
     middlewares:
       - internal-https-hosts
     tls:
       certResolver: cloudflare
     service: homeassistant

   proxmox:
     entryPoints:
       - "https"
     rule: "Host(`proxmox.mydomain.com`)"
     middlewares:
       - internal-https-hosts
     tls:
       certResolver: cloudflare
     service: proxmox

   hoarder:
     entryPoints:
       - "https"
     rule: "Host(`hoarder.mydomain.com`)"
     middlewares:
       - internal-https-hosts
     tls:
       certResolver: cloudflare
     service: hoarder

   radar:
     entryPoints:
       - "https"
     rule: "Host(`radar.mydomain.com`)"
     middlewares:
       - internal-https-hosts
     tls:
       certResolver: cloudflare
     service: radar
 
   openai:
     entryPoints:
       - "https"
     rule: "Host(`openai.mydomain.com`)"
     middlewares:
       - internal-https-hosts
     tls:
       certResolver: cloudflare
     service: openai
     
   adguard:
     entryPoints:
       - "https"
     rule: "Host(`adguard.mydomain.com`)"
     middlewares:
       - internal-https-hosts
     tls:
       certResolver: cloudflare
     service: adguard
     
# External Services
   homeassistant-external:
     entryPoints:
       - "external-https"
     rule: "Host(`ha.mydomain.com`)"
     middlewares:
       - external-https-hosts
     tls:
       certResolver: cloudflare
     service: homeassistant-external

   hoarder-external:
     entryPoints:
       - "external-https"
     rule: "Host(`hoarder.mydomain.com`)"
     tls:
       certResolver: cloudflare
     service: hoarder-external

   openai-external:
     entryPoints:
       - "external-https"
     rule: "Host(`opanai.mydomain.com`)"
     tls:
       certResolver: cloudflare
     service: openai-external

 services:
# Internal Services
   homeassistant:
     loadBalancer:
       servers:
         - url: "http://192.168.x.x:8123"
       passHostHeader: true
       serversTransport: "homeassistant"

   proxmox:
     loadBalancer:
       servers:
         - url: "https://192.168.x.x:8006"
       passHostHeader: true
       serversTransport: "proxmox"

   hoarder:
     loadBalancer:
       servers:
         - url: "http://192.168.x.x:3000"
       passHostHeader: true
       serversTransport: "hoarder"

   radar:
     loadBalancer:
       servers:
         - url: "http://192.168.x.x:7878"
       passHostHeader: true
       serversTransport: "radar"

   openai:
     loadBalancer:
       servers:
         - url: "http://192.168.x.x:80"
       passHostHeader: true
       serversTransport: "openai"
 
   adguard:
     loadBalancer:
       servers:
         - url: "http://192.168.x.x:80"
       passHostHeader: true
       serversTransport: "adguard"
             
# External Services
   homeassistant-external:
     loadBalancer:
       servers:
         - url: "http://192.168.x.x:8123"
       passHostHeader: true
       serversTransport: "homeassistant-external"

   hoarder-external:
     loadBalancer:
       servers:
         - url: "http://192.168.x.x:3000"
       passHostHeader: true
       serversTransport: "hoarder-external"

   openai-external:
     loadBalancer:
       servers:
         - url: "http://192.168.x.x:80"
       passHostHeader: true
       serversTransport: "openai-external"
       
 serversTransports:
# Internal Services
   homeassistant:
     insecureSkipVerify: true
     
   proxmox:
     insecureSkipVerify: true
     
   hoarder:
     insecureSkipVerify: true
     
   radar:
     insecureSkipVerify: true
     
   openai:
     insecureSkipVerify: true
     
   adguard:
     insecureSkipVerify: true
          
# External Services
   homeassistant-external:
     insecureSkipVerify: true
     
   hoarder-external:
     insecureSkipVerify: true
          
   openai-external:
     insecureSkipVerify: true

Any help would be very grateful as my whole network is down right now and I can't access anything outside of my network without getting the error "no server available".

9

Maybe you need to explain again the big picture.

Why multiple entrypoints?

Why catchall?

Why insecure: true?

What is not working? Whats the request URL, whats the response?

Why so many services if it's not working, maybe start with one?

For a little inspiration, maybe check simple Traefik example.

10

Simply put... I have a Proxmox server with multiple VMs all serving HTTP.
I have two ports 80 and 443 that I want internal and 81 and 444 to serve hosts from the WAN. (see here: https://www.youtube.com/watch?v=IBlZgrwc1T8) and are my entrypoints

The catchall is.. I have no idea I simply followed the guide here (Traefik-Proxy 3.x - Setup - Habitats Open Tech)

Insecure true because I wanted it on HTTPS and didn't want to use it with the ports. Just because

Internally the sites work fine on all entrypoints (80,81,443,444). Externally (from the internet) I get the error "no server available" from enterypoints 81 and 444 (even tho they are fine when used internally.

11

That does not make sense. When you use insecure, it will automatically run on port 8080 without TLS and without auth (doc).

Where is "no server available" coming from? From Cloudflare, from Traefik? Is the request logged in Traefik access log?

12

oh for the moment I don't care so much about the dashboard.. it broke when I chose secure and asked the http(80) port to redirect to https(443) and I couldn't work out how to get the dashboard to work using ssh.

I'm more concerned about not getting the pages externally more than anything.

13

This is the error I get from the external WAN:

image
image797×158 12.4 KB

and If I simulate it internally:

image
image820×283 24.8 KB

This is why I'm so confused :\

14

If you think you get that error through Traefik, you should check Traefik debug log (doc) and Traefik access log in JSON format (doc) to see what they tell you, especially around the time when the request is taking place.

Also share your docker-compose.yml from the target service.

15

I'm not using Docker... it's a LXC container

16

It seems you ignore relevant points:

17

I've just got back from being out of the country and got all the logs ready to show you annnndddd... it looks like Cloudfare is the issue. I have Proxy turned on and it was causing it to fail. I have no idea what in my Cloudfare config is wrong but I can access things from external now with no real issues.
I've posted a question a long time ago as Cloudflare Proxy wasn't working with Synology Proxy either. Not sure where or how to fix it. Their support seems pretty useless as they point me to the forum and people three won't respond. :frowning: