Middleware "https-redirect@file" does not exist in Traefik 2.3

Hi guys,

I've got an issue similar to https://github.com/traefik/traefik/issues/7342 - but I'm not quite sure where my indentation issue is, I'm being a muppet I think.

I'm getting the following error:

I understand that in 2.3 things are a bit more strict, hence the error. This works in 2.2.

This is my middlewares.toml:

[http.middlewares]
  [http.middlewares.middlewares-basic-auth]
    [http.middlewares.middlewares-basic-auth.basicAuth]
#      username=user, password=mystrongpassword (listed below after hashing)
#      users = [
#        "user:$apr1$bv<stronghash>DGlduxK4AqRsTwHnvc1",
#      ]
      realm = "Traefik2 Basic Auth"
      usersFile = "/shared/.htpasswd" #be sure to mount the volume through docker-compose.yml

  [http.middlewares.middlewares-rate-limit]
    [http.middlewares.middlewares-rate-limit.rateLimit]
      average = 100
      burst = 50

# Available Header Options:
#####https://github.com/unrolled/secure#available-options
#####https://docs.traefik.io/middlewares/headers/
# A great resource for these headers is your preferred browser's docs. Firefox: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers
# https://developers.google.com/search/reference/robots_meta_tag
# https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/Clickjacking_Defense_Cheat_Sheet.md
# CSP for VNC: https://github.com/cockpit-project/cockpit/pull/5932
# Check headers here, don't include OAuth when checking headers, otherwise you are checking google's headers: https://securityheaders.com
# or check them here: https://observatory.mozilla.org/

# CAUTION: Any headers defined in docker-compose (yml) will OVERWRITE ALL of the headers defined below.

  [http.middlewares.middlewares-secure-headers]
    [http.middlewares.middlewares-secure-headers.headers]
      accessControlAllowMethods= ["GET", "OPTIONS", "PUT"]
      accessControlMaxAge = 100
      hostsProxyHeaders = ["X-Forwarded-Host"]
      sslRedirect = true
      stsSeconds = 31536000
      stsIncludeSubdomains = true
      stsPreload = true
      forceSTSHeader = true
#     frameDeny = true #overwritten by customFrameOptionsValue
      customFrameOptionsValue = "allow-from https://mydomain.com" #CSP takes care of this but may be needed for organizr.
      contentTypeNosniff = true
      browserXssFilter = true
#     sslForceHost = true # add sslHost and all of the services
#     sslHost = "example.com"
      referrerPolicy = "same-origin"
#      Setting contentSecurityPolicy is more secure but it can break things. Proper auth will reduce the risk.
#      the below line also breaks some apps due to 'none' - sonarr, radarr, etc.
#      contentSecurityPolicy = "frame-ancestors '*.example.com:*';object-src 'none';script-src 'none';"
      featurePolicy = "camera 'none'; geolocation 'none'; microphone 'none'; payment 'none'; usb 'none'; vr 'none';"

  [http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
    X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
    server = ""

  [http.middlewares.middlewares-oauth]
    [http.middlewares.middlewares-oauth.forwardAuth]
      address = "http://oauth:4181" # Make sure you have the OAuth service in docker-compose.yml
      trustForwardHeader = true
      authResponseHeaders = ["X-Forwarded-User"]

  [http.middlewares.middlewares-authelia]
    [http.middlewares.middlewares-authelia.forwardAuth]
      address = "http://authelia:9091/api/verify?rd=https://authelia.mydomain.com"

  [http.middlewares.compress.compress]

[tls.options]
  [tls.options.intermediate]
    minVersion = "VersionTLS12"
    sniStrick = "true"
    cipherSuites = [
      "TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256",
      "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384",
      "TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305",
      "TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305",
      "TLS_AES_128_GCM_SHA256",
      "TLS_AES_256_GCM_SHA384",
      "TLS_CHACHA20_POLY1305_SHA256",
      "TLS_FALLBACK_SCSV" # Client is doing version fallback. See RFC 7507
    ]

Middlewares-chains.toml:

[http.middlewares]
  [http.middlewares.chain-no-auth]
    [http.middlewares.chain-no-auth.chain]
      middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "compress"]

[http.middlewares.chain-basic-auth]
  [http.middlewares.chain-basic-auth.chain]
    middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-basic-auth", "compress"]

[http.middlewares.chain-oauth]
  [http.middlewares.chain-oauth.chain]
    middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-oauth", "compress"]

[http.middlewares.chain-authelia]
  [http.middlewares.chain-authelia.chain]
    middlewares = [ "middlewares-rate-limit", "middlewares-secure-headers", "middlewares-authelia", "compress"]

Docker-compose:

 #Traefik 2 - Reverse Proxy
  traefik:
    container_name: Traefik
    hostname: Traefik
    # image: traefik:chevrotin # the chevrotin tag refers to v2.2.x
    image: traefik:picodon # the chevrotin tag refers to v2.3.x
    environment:
      - CF_API_EMAIL=$CLOUDFLARE_EMAIL
      - CF_API_KEY=$CLOUDFLARE_API_KEY
      #- PUID=$PUID
      #- PGID=$PGID
    command: # CLI arguments
      - --global.checkNewVersion=true
      - --global.sendAnonymousUsage=false
      - --entryPoints.http.address=:80
      - --entryPoints.https.address=:443
        # Allow these IPs to set the X-Forwarded-* headers - Cloudflare IPs: https://www.cloudflare.com/ips/
      - --entrypoints.https.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/12,172.64.0.0/13,131.0.72.0/22
      - --entryPoints.traefik.address=:8080
      - --entryPoints.ping.address=:8081
      - --api=true
      - --api.dashboard=true
      - --ping=true
#      - --api.insecure=true
#      - --serversTransport.insecureSkipVerify=true
      - --log=true
      - --log.level=INFO # (Default: error) DEBUG, INFO, WARN, ERROR, FATAL, PANIC
      - --accessLog=true
      - --accessLog.filePath=/traefik.log
      - --accessLog.bufferingSize=100 #Configuring a buffer of 100 lines
      - --accessLog.filters.statusCodes=400-499
      - --providers.docker=true
      - --providers.docker.endpoint=unix:///var/run/docker.sock
      - --providers.docker.defaultrule=Host(`{{ index .Labels "com.docker.compose.service" }}.$DOMAINNAME`)
      - --providers.docker.exposedByDefault=false
      # - --entrypoints.https.http.middlewares=chain-authelia@file
      # Add dns-cloudflare as default certresolver for all services. Also enables TLS and no need to specify on individual services.
      - --entrypoints.https.http.tls.certresolver=dns-cloudflare
      - --entrypoints.https.http.tls.domains[0].main=$DOMAINNAME
      - --entrypoints.https.http.tls.domains[0].sans=*.$DOMAINNAME
      - --providers.docker.network=hda_pihole
      - --providers.docker.swarmMode=false
      - --providers.file.directory=/rules # Load dynamic configuration from one or more .toml or .yml files in a directory.
#     - --providers.file.filename=/path/to/file' # Load dynamic configuration from a file.
      - --providers.file.watch=true # Only works on top level files in the rules folder
#      - --certificatesResolvers.dns-cloudflare.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory # LetsEncrypt Staging Server - uncomment when testing
      - --certificatesResolvers.dns-cloudflare.acme.email=$CLOUDFLARE_EMAIL
      - --certificatesResolvers.dns-cloudflare.acme.storage=/acme.json
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.provider=cloudflare
      - --certificatesResolvers.dns-cloudflare.acme.dnsChallenge.resolvers=1.1.1.1:53,1.0.0.1:53
    networks:
      pihole:
        ipv4_address: '172.22.0.114'
      # docker-macvlan: 
        # ipv4_address: '192.168.0.4'
    ports:
      - 81:80
      - 444:443
      - 8081:8080
      - 8082:8081 # Ping
    labels:
      - autoheal=true
      - traefik.enable=true
      # HTTP-to-HTTPS Redirect
      - traefik.http.routers.http-catchall.entrypoints=http
      - traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)
      - traefik.http.routers.http-catchall.middlewares=redirect-to-https
      - traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https
      # HTTP Routers
      - traefik.http.routers.traefik-rtr.entrypoints=https
      - traefik.http.routers.traefik-rtr.rule=Host(`traefik.$DOMAINNAME`)
      ## Services - API
      - traefik.http.routers.traefik-rtr.service=api@internal
      ## Healthcheck/ping
      - "traefik.http.routers.ping.rule=Host(`traefik.$DOMAINNAME`) && Path(`/ping`)"
      - "traefik.http.routers.ping.tls=true"
      - "traefik.http.routers.ping.service=ping@internal"
      ## Middlewares
      # - traefik.http.routers.traefik-rtr.middlewares=chain-oauth@file
      - "traefik.http.routers.traefik-rtr.middlewares=chain-authelia@file" # Authelia
      # - traefik.http.routers.traefik-rtr.middlewares=chain-no-auth@file
    security_opt:
      - no-new-privileges:true
    depends_on: 
      - dnscrypt-proxy
      - authelia
      - oauth
    healthcheck:
      test: ["CMD", "traefik", "healthcheck", "--ping"]
      interval: 5s
      retries: 3
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - $USERDIR/Traefik/rules:/rules 
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - $USERDIR/Traefik/acme/acme.json:/acme.json 
      - $USERDIR/Traefik/traefik.log:/traefik.log 
      - $USERDIR/Shared:/shared
    restart: unless-stopped
    mem_limit: 250m
    mem_reservation: 100m

Any help would be grand!

Thank you in advance

Hello,

you can a typo sniStrick -> sniStrict

1 Like

Well,

Don't I feel silly!

Thank you! That was exactly it!

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.