Minimum settings for having Nginx behing Traefik for a demo setup

johanneskastl · October 10, 2025, 5:05pm

Dear all,

I am currently struggling to get a simple demo setup working, as I have not used docker and Traefik’s docker-label-based workflow in quite some time.

I have a simple vagrant setup that creates a Nginx container as well as a Traefik container, both as Podman quadlets. This is working fine, but only for HTTP.

The labels on the Nginx container are:

Label=traefik.enable="true"
Label=traefik.http.routers.nginx.rule=Host'(`nginx.IP-ADRESS-GOES-HERE.sslip.io`)'

The Traefik container uses the following static configuration:

  --api.dashboard=true \
  --api.insecure=true \
  --entrypoints.http.address=":80" \
  --providers.docker=true

Now, to get something using the self-signed default certificate that Traefik brings, which settings would need to be adjusted?

Adding --entrypoints.https.address=":443" and exposing this port is enough to get a nice and friendly warning in the browser, due to the self-signed TLS certificate.

But after accepting the warning I only get a 404 warning (404 page not found) and it seems the request never actually reaches the Nginx container.

The Traefik dashboard does not show anything unusal, only green routers, services and middlewares.

What additional settings would I need to make to get this working?

Or do I need to provide my own self-signed certificate to get Traefik working?

Kind Regards,

Johannes

bluepuma77 · October 10, 2025, 10:50pm

The usual basic labels from best practice are:

      - traefik.enable=true
      - traefik.http.routers.mywhoami.rule=Host(`whoami.example.com`)
      - traefik.http.services.mywhoami.loadbalancer.server.port=80

Check simple Traefik example.

Enable access log in JSON format to see if Traefik or target service create 404.

johanneskastl · October 11, 2025, 6:14am

Thanks for the quick reply.

Not sure why this should be necessary, as it already works properly using HTTP. So the general connectivity is given, i.e. Traefik knows where to find the Nginx server.

It is only HTTPS that is not working.

This is the access log. Not sure what to read out of it, but to me it looks like Traefik causing the 404 (if I understand the IPs correctly).

2025-10-11T05:58:12Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://10.89.0.4:80
10.89.0.5 - - [11/Oct/2025:05:58:12 +0000] "GET / HTTP/1.1" 200 615 "-" "-" 1 "nginx@docker" "http://10.89.0.4:80" 0ms
2025-10-11T06:14:37Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://10.89.0.4:80
10.89.0.5 - - [11/Oct/2025:06:14:37 +0000] "GET / HTTP/1.1" 200 615 "-" "-" 2 "nginx@docker" "http://10.89.0.4:80" 2ms
2025-10-11T06:14:37Z DBG github.com/traefik/traefik/v3/pkg/server/service/loadbalancer/wrr/wrr.go:175 > Service selected by WRR: http://10.89.0.4:80
10.89.0.5 - - [11/Oct/2025:06:14:37 +0000] "GET /favicon.ico HTTP/1.1" 404 153 "-" "-" 3 "nginx@docker" "http://10.89.0.4:80" 0ms
2025-10-11T06:14:42Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "nginx.192.168.121.62.sslip.io"
2025-10-11T06:14:42Z DBG log/log.go:245 > http: TLS handshake error from 10.89.0.5:41398: remote error: tls: bad certificate
2025-10-11T06:14:46Z DBG github.com/traefik/traefik/v3/pkg/tls/tlsmanager.go:288 > Serving default certificate for request: "nginx.192.168.121.62.sslip.io"
10.89.0.5 - - [11/Oct/2025:06:14:46 +0000] "GET / HTTP/2.0" 404 19 "-" "-" 4 "-" "-" 0ms
10.89.0.5 - - [11/Oct/2025:06:14:46 +0000] "GET /favicon.ico HTTP/2.0" 404 19 "-" "-" 5 "-" "-" 0ms

Kind Regards,

Johannes

bluepuma77 · October 11, 2025, 6:36am

Enable access log in JSON format to see if Traefik or target service creates 404 status.

johanneskastl · October 11, 2025, 11:13am

Thanks for the hint, that is a little more information…

{ 
  "ClientAddr": "10.89.0.3:37120",
  "ClientHost": "10.89.0.3",
  "ClientPort": "37120",
  "ClientUsername": "-",
  "DownstreamContentSize": 19,
  "DownstreamStatus": 404,
  "Duration": 25290,
  "GzipRatio": 0,
  "OriginContentSize": 0,
  "OriginDuration": 0,
  "OriginStatus": 0,
  "Overhead": 25290,
  "RequestAddr": "nginx.IP-ADDRESS-GOES-HERE.sslip.io",
  "RequestContentSize": 0,
  "RequestCount": 6,
  "RequestHost": "nginx.IP-ADDRESS-GOES-HERE.sslip.io",
  "RequestMethod": "GET",
  "RequestPath": "/",
  "RequestPort": "-",
  "RequestProtocol": "HTTP/2.0",
  "RequestScheme": "https",
  "RetryAttempts": 0,
  "StartLocal": "2025-10-11T11:00:26.876229311Z",
  "StartUTC": "2025-10-11T11:00:26.876229311Z",
  "TLSCipher": "TLS_AES_128_GCM_SHA256",
  "TLSVersion": "1.3",
  "entryPointName": "https",
  "level": "info",
  "msg": "",
  "time": "2025-10-11T11:00:26Z"
}

It seems that the 404 comes from downstream `"DownstreamStatus": 404,`, the question is why only via HTTPS. Normally Traefik is happily doing the TLS part for other services that are only talking HTTP.

I’ll dig into it later.

Kind Regards,

Johannes

bluepuma77 · October 11, 2025, 12:53pm

so Traefik does not recognize the target service for entrypoint and router.rule.

Share your full Traefik static and dynamic config, and Docker compose file(s) if used.

johanneskastl · October 11, 2025, 1:24pm

Huh, funny. Do I need to make the settings (rule, port) again for HTTPS? I’ll give that a try.

Here is the quadlet definition for Traefik:

Here is the Nginx container.

johanneskastl · October 11, 2025, 1:49pm

Hmm, it might be that I just had to add tls=true

Label=traefik.http.routers.nginx.tls=true

(No redirect from HTTP to HTTPS yet, of course, but it seems the page is reachable via HTTPS without 404s…)

bluepuma77 · October 11, 2025, 3:59pm

You can enable TLS globally on entrypoint or individually on router.

johanneskastl · October 11, 2025, 4:16pm

For the record, I relearned my lesson. For the docker label-based approach, one has to define two routers, one for HTTP and one for HTTPS. The first one gets the “redirect HTTP to HTTPS” middleware, the second gets the tls=true.

Now it works like a charm.

        image: docker.io/library/nginx:stable-alpine
        label:
          traefik.enable: "true"
          #
          traefik.http.routers.nginx.rule: Host(`nginx.IP-GOES-HERE.sslip.io`)
          traefik.http.routers.nginx.entrypoints: http
          traefik.http.middlewares.redirect-to-https.redirectscheme.scheme: https
          traefik.http.routers.nginx.middlewares: redirect-to-https
          #
          traefik.http.routers.nginx-https.rule: Host(`nginx.IP-GOES-HERE.sslip.io`)
          traefik.http.routers.nginx-https.entrypoints: https
          traefik.http.routers.nginx-https.tls: "true"

Thanks for your help!

bluepuma77 · October 11, 2025, 4:23pm

I already shared simple Traefik example. I would globally set tls and redirect on entrypoint, not individually on every router.

Topic		Replies	Views
Traefik and nginx 404 page not found Traefik v1 docker , docker-swarm	1	2670	August 31, 2019
V2 404 on HTTPS Traefik v2 docker	5	960	November 2, 2019
Nginx behid traefik reach 404 Traefik v2 docker , file , letsencrypt-acme	2	1509	July 30, 2020
Https always responds 404 with docker provider Traefik v2 docker	3	582	November 5, 2019
Migrating to Traefik from Nginx Traefik v1 docker	3	7408	November 13, 2019

Minimum settings for having Nginx behing Traefik for a demo setup

Related topics