Misunderstood behaviour of traefik rule Host

Traefik Traefik v2
1

Hi everyone!

I'm sucessfully running traefik v2 with a bunch of docker containers and works flawlessly.

But one docker integration doesn't work as I've expected. In fact is unifi docker that needs access to port 8443. Well the issue is if I use https://whateverthatputshere.mydomain.com:8443 the webpage loads, when I expect to load only with https://unifi.mydomain.com:8443. This is the code for the unifi docker container:

version: '3'

services:
  unifi:
    image: linuxserver/unifi-controller:latest
    container_name: unifi
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - /home/docker/unifi:/config
    networks:
      - proxy_default
    ports:
      - 8443:8443
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 8081:8081
      - 8880:8880
      - 6789:6789
      - 8843:8843
    restart: unless-stopped
    labels:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy_default"
       - "traefik.http.routers.unifi.entrypoints=secure"
       - "traefik.http.routers.unifi.rule=Host(`unifi.mydomain.com`)"
       - "traefik.http.services.unifi.loadbalancer.server.scheme=https"
       - "traefik.http.routers.unifi.tls=true"
       - "traefik.http.routers.unifi.tls.certresolver=le"

networks:
  proxy_default:
    external: true

I've got about other 10 container working well, the rule Host redirect to the container as expected, but this one with unifi docker has this strange behaviour.

Perhaps some in my configuration is not well defined or I've misunderstood some configuration.

Thanks.

2

I guess, that's because you're exposing port 8443 directly from the container to the Host, so you're request might not be going through Traefik. Can you try without exposing that Ports to the Host?

3

Thanks for your reply,

I test adding these labels, but only works if the port 8443 is exposing..

       - "traefik.http.routers.unifi.port=8443"
       - "traefik.http.services.unifi.loadbalancer.server.port=8443"

I test both and every single option with/out exposing port 8443, but always works with that exposed.

4

You should only need this label:

traefik.http.services.unifi.loadbalancer.server.port=8443

Then all connections from Traefik to the Container, will be done on port 8443. That's what you need, right? You should then not be needed to expose the port to the host.

Or do I missunderstand you? What is your desired solution? Should Traefik terminate the connection on HTTPS default (Port 443) and just use internally 8443, or do you expect your clients to use 8443 as well? Then please paste your Traefik configuration as well

5

Many thanks for your help!

Well the problem is that unifi need more ports accessible to the Wifi devices contact with it. And the 8443 is the access to portal admin.
I've tried what you said in the past, but it didn't work. Only if I exposed the port admin portal load.

My docker-compose.yml for traefik:

version: '3'

services:
  proxy:
    image: traefik:v2.1
    container_name: proxy
    ports:
      - "80:80"
      - "443:443"
      - "9080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./conf:/etc/traefik
      - ./logs:/logs
      - ./ssl:/ssl
    networks:
      - proxy_default
    labels:
      traefik.enable: true
      traefik.http.routers.dashboard.rule: Host(`proxy.mydomain.com`)
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.middlewares: auth
      traefik.http.middlewares.auth.basicauth.users: myuser:mypassword

networks:
  internal:
    external: false
  proxy_default:
    external: true

Additional have a traefik.toml

[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.secure]
    address = ":443"

[api]
  dashboard = true

[certificatesResolvers.le.acme]
  email = "my@email.me"
  storage = "/ssl/acme.json"
  [certificatesResolvers.le.acme.httpChallenge]
    entryPoint = "web"

[log]
  filepath = "/logs/traefik.log"

[accessLog]
  filepath = "/logs/access.log"

[providers.docker]
  exposedByDefault = false

[providers.file]
  directory = "/etc/traefik/dynamic"
  watch = true

Thanks, regards

6

Yes, and given your configuration that is "correct".

If you want Traefik to terminate the connection on Port 8443, Traefik needs to listen on Port 8443. So you need to expose the Port 8443 on Traefik, not on your service. Additionally, you need to create an entrypoint in your traefik.toml on Port 8443.

Then, you should be able to connect to your unifi service through Traefik, on Port 8443.

Does it make sense?

7

Ohh..that make sense!

I have been with Traefik for a few weeks and I`m still learning the basics. I'll test it asap and report...

Thanks again.

8

Well it seems doesn't work... trying to:

  • Add new entrypoint on traefik.toml:
[entryPoints.secure2]
  address = ":8443"
  • And additionally enable/disable all combinations of this labels on docker-compose on container:
       - "traefik.http.routers.unifi.port=8443"
       - "traefik.http.services.unifi.loadbalancer.server.port=8443"
       - "traefik.http.services.unifi.loadbalancer.server.scheme=https"
       - "traefik.http.services.unifi.redirectscheme.scheme=https"
       - "traefik.http.services.unifi.redirectscheme.permanent=true"

Only loads if I exposed port 8443 specifically, and then loads with every subdomain that you figure up.

I don't know how to resolve that.
Thank you very much for your support @SantoDE

9

Please show me your container configuration (compose file) of Traefik then, because I suspect you did not bind the port 8443 to the container :slight_smile:

You need to have it like that

    ports:
      - "80:80"
      - "443:443"
      - "9080:8080"
      - "8443:8443"
10

Well I test it all combinations, and this is the docker-compose I'm using:

version: '3'

services:
  unifi:
    image: linuxserver/unifi-controller:latest
    container_name: unifi
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - /home/docker/unifi:/config
    networks:
      - proxy_default
    ports:
      - 8443:8443
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 8081:8081
      - 8880:8880
      - 6789:6789
      - 8843:8843
    restart: unless-stopped
    labels:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy_default"
       - "traefik.http.routers.unifi.entrypoints=secure2"
       - "traefik.http.routers.unifi.rule=Host(`unifi.mydomain.com`)"
       - "traefik.http.routers.unifi.port=8443"
       - "traefik.http.services.unifi.loadbalancer.server.port=8443"
       - "traefik.http.services.unifi.loadbalancer.server.scheme=https"
       - "traefik.http.services.unifi.redirectscheme.scheme=https"
       - "traefik.http.services.unifi.redirectscheme.permanent=true"
       - "traefik.http.routers.unifi.tls=true"
       - "traefik.http.routers.unifi.tls.certresolver=le"


networks:
  proxy_default:
    external: true

It doesn't matter what disable or enable on it, only if the port 8443 is enabled on ports works partially (cause every subdomain load admin portal of unifi)

11

Thank you so much @SantoDE, you're right but additionally I need to include other parameter: insecureSkipVerify = true on traefik.toml, and I don't know what impact have to enable that on traefik security related.

Well this is the final config files to get Unifi work with Traefik v2:

traefik compose 
`version: '3'

services:
  proxy:
    # The official v2.0 Traefik docker image
    image: traefik:v2.1
    container_name: proxy
    ports:
      # The HTTP port
      - "80:80"
      - "443:443"
      - "8443:8443"
      - "9080:8080"
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock
      - ./conf:/etc/traefik
      - ./logs:/logs
      - ./ssl:/ssl
    networks:
      - proxy_default
    labels:
      traefik.enable: true
      traefik.http.routers.dashboard.entrypoints: secure
      traefik.http.routers.dashboard.rule: Host(`traefik`)
      traefik.http.routers.dashboard.service: api@internal
      traefik.http.routers.dashboard.middlewares: auth
      traefik.http.middlewares.auth.basicauth.users: user:pass
      traefik.http.routers.dashboard.tls: true
      traefik.http.routers.dashboard.tls.certresolver: le

networks:
  proxy_default:
     external: true

`

traefik.toml 
[entryPoints]
  [entryPoints.web]
    address = ":80"
  [entryPoints.secure]
    address = ":443"
  [entryPoints.secure2]
    address = ":8443"

[api]
  dashboard = true

[certificatesResolvers.le.acme]
  email = "@"
  storage = "/ssl/acme.json"
  [certificatesResolvers.le.acme.httpChallenge]
    entryPoint = "web"

[log]
  filepath = "/logs/traefik.log"

[accessLog]
  filepath = "/logs/access.log"

[providers.docker]
  exposedByDefault = false
#  watch = true

[providers.file]
  directory = "/etc/traefik/dynamic"
  watch = true

[serversTransport]
  insecureSkipVerify = true
unifi controller compose 
`version: '3'

services:
  unifi:
    image: linuxserver/unifi-controller:latest
    container_name: unifi
    environment:
      - PUID=1000
      - PGID=1000
    volumes:
      - /home/docker/unifi:/config
    networks:
      - proxy_default
    ports:
#      - 8443:8443
      - 3478:3478/udp
      - 10001:10001/udp
      - 8080:8080
      - 8081:8081
      - 8880:8880
      - 6789:6789
      - 8843:8843
    restart: unless-stopped
    labels:
       - "traefik.enable=true"
       - "traefik.docker.network=proxy_default"
       - "traefik.http.routers.unifi.entrypoints=secure2"
       - "traefik.http.routers.unifi.rule=Host(`unifi.domain.com`)"
       - "traefik.http.services.unifi.loadbalancer.server.port=8443"
       - "traefik.http.services.unifi.loadbalancer.server.scheme=https"
       - "traefik.http.routers.unifi.tls=true"
       - "traefik.http.routers.unifi.tls.certresolver=le"

networks:
  proxy_default:
    external: true
`

Thank you very much for your help!