Migrating to Traefik from Nginx

Hi folks,

I am trying to migrate a spring java app stack from traditional VMs to docker, and trying to replace Traefik as reverse proxy with Nginx which was used earlier. For one service, the Nginx configuration is -

upstream service_name {

server server_name:31022;

}

server {

listen 80;

server_name server_name;

rewrite ^(.*) https://$server_name$1 permanent;

}

server {

listen 443;

server_name server_name;

ssl on;

ssl_certificate /etc/nginx/server.crt;

ssl_certificate_key /etc/nginx/server.key;

location / {

index index.jsp index.html

proxy_redirect off;

proxy_set_header Host $host;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

proxy_buffering off;

proxy_pass https://service_name;

proxy_ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

}

}

traefik.toml file is -

logLevel = "DEBUG"

defaultEntryPoints = ["http", "https"]

[entryPoints]

[entryPoints.dashboard]

address = ":8080"

[entryPoints.dashboard.auth]

[entryPoints.dashboard.auth.basic]

users = ["admin:$apr1$jIkZ4klG$MrevdRq.a3.CM9goyyziy0"]

[entryPoints.http]

address = ":80"

[entryPoints.http.redirect]

entryPoint = "https"

[entryPoints.https]

address = ":443"

[entryPoints.https.tls]

[[entryPoints.https.tls.certificates]]

certFile = "/certs/server.crt"

keyFile = "/certs/server.key"

[api]

entrypoint="dashboard"

[docker]

domain = "domain_name.com"

watch = true

network = "app_network"

and the docker-compose for the service is -

version: '3'
networks:
app_network:
external: true

services:

service_name:
image: 'service_image'
container_name: 'servername.domain-name.com'
ports:
- "31022:31022"
labels:
- traefik.backend=service_name
- traefik.frontend.rule=Host:servername.domain-name.com
- traefik.frontend.redirect.entryPoints:'https'
- traefik.frontend.headers.SSLProxyHeaders=X-Forwarded-Proto:https
- traefik.frontend.headers.SSLRedirect=true
- traefik.docker.network=app_network
- traefik.port=31022

networks:- app_network

When I am trying access the service, I am getting internal server error, and traefik logs are -

time="2019-11-05T03:03:20Z" level=debug msg="vulcand/oxy/forward/http: begin ServeHttp on request" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"http\",\"Opaque\":\"\",\"User\":null,\"Host\":\"[192.168.32.6:31022](https://192.168.32.6:31022/)\",\"Path\":\"\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"image/webp,image/apng,image/*,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.9\"],\"Referer\":[\"[https://servername.domain-name.com/\"],\"Sec-Fetch-Mode\":[\"no-cors\"],\"Sec-Fetch-Site\":[\"same-origin\"],\"User-Agent\":[\"Mozilla/5.0](https://servername.domain-name.com/%22],%22Sec-Fetch-Mode%22:[%22no-cors%22],%22Sec-Fetch-Site%22:[%22same-origin%22],%22User-Agent%22:[%22Mozilla/5.0) (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/78.0.3904.87 Safari/537.36\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"[servername.domain-name.com](https://servername.domain-name.com/)\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"[192.168.1.110:54356](https://192.168.1.110:54356/)\",\"RequestURI\":\"/favicon.ico\",\"TLS\":null}"

time="2019-11-05T03:03:20Z" level=debug msg="Upstream ResponseWriter of type *pipelining.writerWithoutCloseNotify does not implement http.CloseNotifier. Returning dummy channel."

time="2019-11-05T03:03:20Z" level=debug msg="'500 Internal Server Error' caused by: net/http: HTTP/1.x transport connection broken: malformed HTTP response \"\\x15\\x03\\x03\\x00\\x02\\x02\""

time="2019-11-05T03:03:20Z" level=debug msg="vulcand/oxy/forward/http: Round trip: [http://192.168.32.6:31022](http://192.168.32.6:31022/), code: 500, Length: 21, duration: 1.078372ms tls:version: 303, tls:resume:true, tls:csuite:c02f, tls:server:monitor.abacasoftware.com"

Can anyone please verify the config and shade some light?

Cheers!

Hi @debasisparida, is your backend application using a self-signed certificate?

@dduportal, the backend application is using signed certificate from Godaddy.

EDIT: Sorry, if I haven't got your question right. Backend is a docker container running tomcat. In the current implementation, certificate is passed to tomcat through Nginx. I was thinking once I add wildcard certificate to Traefik, it will also be used for backend by default. Please correct me if I am thinking it wrong.

Hi @debasisparida, I confirm that either Traefik OR your backend has to terminate TLS/SSL.

As you are using Traefik v1, Traefik terminates TLS so it needs the certificates as well, to be able to discuss with the HTTPS client. Then you can configure the backend to be reachable in HTTPS as well by setting the label traefik.protocol=https to your backend service: Traefik will initiate a new HTTP/TLS connection to the backend, which will present the certificates, so you keep encrypted HTTP everywher, BUT Traefik need to decrypt / re-encrypt traffic.

Alternatively, if you are able to switch to Traefik v2.0 which supports TCP, you can define a "TCP router" (router is roughly the same as frontends) with the option passthrough enabled: https://docs.traefik.io/v2.0/routing/routers/#tls_1 .
In this case, Traefik won't decrypt the TLS traffic, and will pass it "as it" to the backend.

1 Like