I'm trying to use Traefik as I am using docker more frequently.
I have a bunch of non-docker servers that I need to reverse proxy for. When using nginx, I would route all of my inbound traffic to nginx and then do url based routing and Lets Encrypt certificates.
So nginx would do the https and then use http internally. There were problems with serving mixed content data that would trip up some of my sites so I found that I would need to use this in my nginx config.
add_header 'Content-Security-Policy' 'upgrade-insecure-requests';
Can anyone help a noob out with how to do this on my Docker/Traefik trial?
Here is my main docker compose file and the dynamic file-provider that I am using to define my internal target system.
I am a real noob so please be gentle...
My Docker Compose File
traefik: image: traefik:v2.9.6 container_name: traefik volumes: - ./traefik:/etc/traefik - /var/run/docker.sock:/var/run/docker.sock environment: - TZ=$TZ networks: - net labels: - 'traefik.enable=true' - 'traefik.http.routers.api.rule=Host(`traefik.my_domain_0.com`)' - 'traefik.http.routers.api.entrypoints=https' - 'traefik.http.routers.api.service=api@internal' - 'traefik.http.routers.api.tls=true' - 'traefik.http.routers.api.tls.certresolver=letsencrypt' - 'traefik.http.routers.api.middlewares=authelia@docker' ports: - 80:80 - 443:443 command: - '--api.insecure=true' - '--providers.docker=true' - '--providers.docker.exposedByDefault=false' - '--providers.file.directory=/etc/traefik' - '--providers.file.watch=true' - '--entrypoints.http=true' - '--entrypoints.http.address=:80' - '--entrypoints.http.http.redirections.entrypoint.to=https' - '--entrypoints.http.http.redirections.entrypoint.scheme=https' - '--entrypoints.https=true' - '--entrypoints.https.address=:443' - '--certificatesResolvers.firstname.lastname@example.org' - '--certificatesResolvers.letsencrypt.acme.storage=/etc/traefik/acme.json' - '--certificatesResolvers.letsencrypt.acme.httpChallenge.entryPoint=http' - '--log=true' - '--log.filePath=/var/log/traefik.log' - '--log.level=DEBUG'
And here is my dynamic file provider
I have two non-docker systems I am trying to reverse proxy for. 1) my Blue Iris video camera system and 2) a Drupal system.
http: # Add the routers routers: lxd-router: rule: "Host(`www.my_domain_1.org`) || Host(`my_domain_1.org`)" entryPoints: - https tls: certResolver: letsencrypt service: lxd-service bi5-router: rule: "Host(`video.myhome.org`)" entryPoints: - https tls: certResolver: letsencrypt service: bi5-service # Add the services services: lxd-service: loadBalancer: servers: - url: "http://192.168.50.181:81" passHostHeader: true bi5-service: loadBalancer: servers: - url: "http://192.168.50.61:81" passHostHeader: true
So my very rookie read of this shows that I am only using one sort-of-middleware which is the TLS Let's Encrypt service.
So maybe I need to either tweak that TLS module to add the required upgrade headers?
By the way, this is the error that I get with the mixed content when the internal http site is redirected through the reverse proxy.
Mixed Content: The page at 'https://www.mydomain.org/civicrm/a#/mailing/2' was loaded over HTTPS, but requested an insecure XMLHttpRequest endpoint 'http://www.mydomain.org/civicrm/ajax/api4/EntitySet%3Aautocomplete?params=%7B%22input%22%3A%22%22%2C%22page%22%3A1%2C%22formName%22%3A%22crmMailing.2%22%2C%22fieldName%22%3A%22Mailing.recipients_exclude%22%7D&_=1700414486079'. This request has been blocked; the content must be served over HTTPS.
It is only on some pages were the main page seems fine being redirected to https but there is some content on that page that screws with things. In this specific case there was an autocomplete field that fails.