Multiple domains pointing to one traefik instance help

Traefik Traefik v3 (latest)
1

Hello! I'm new to this forum so let me introduce myself a bit. I'm 'skeed' which is my alias :slight_smile: Nice to meet you! I'm a homelab enthousiast who has traefik on docker installed and i'm really satisfied with what it doesn. Now my issue;

On my homelab I have an url configured, lets call that url 'a'. http(s)://a.com. Works like a charm. No issues at all. I'm using cloudflare as a dns resolver and have an account wide token set to also edit the dns zones. Now I recently bought domain 'b' and would like to add that to my traefik instance. I've already pointed the cloudflare dns entries to the correct IP, and when I try to visit url 'b' I see the traefik 404 page, which to me indicates that my dns records are set correctly. The only thing is, when I try to do traefik.http.routers.container.rule: Host(b.com), I still see the 404 page. I tried to add the container to 'a' with Host(a.com) and that words perfectly, but it seems to not be able to 'match' for 'b'. I also already added the domain to entryPoints.websecure.http.tls.domains[1].main both main and sans but to no avail. It just seems not to match domain 'b'. I can also see entries in the access log that it's trying to resolve to 'b' but traefik won't point me to the correct container. I'm using a simple nginx container to test which serves the test webpage.

Does anyone know a next step / something that can help me further? I don't know what to do anymore at this point.

Thanks in advance!

Cheers,
Skeed

2

Enable and check Traefik dashboard.

Check acme.json file which certs exist.

Share your full Traefik static and dynamic config, and docker-compose.yml if used.

3

Hey!

In the acme.json i see 'a.com' and 'b.com' having certificates and the certificates for all my subdomains.
In the traefik dashboard I see that the entry for 'b.com' exists the same way as it does for 'a.com' entries. Websecure and secured by cloudflare, no errors at all.

Docker compose of Traefik:

services:
  traefik:
    image: traefik:latest
    container_name: traefik
    networks:
      - traefik_network
    extra_hosts:
      - host.docker.internal:host-gateway
    command:
      # - --log.level=DEBUG
      # - --log.filePath=/logs/traefik.log
      # - --log.format=json
      # - --accesslog=true
      # - --accesslog.format=json
      # - --accesslog.filePath=/logs/access.log
      - --api.insecure=true
      - --providers.file=true
      - --providers.file.filename=/extra-providers/dynamic_conf.yml
      - --providers.file.watch=true
      - --providers.docker=true
      - --providers.docker.exposedbydefault=false
      - --entrypoints.web.address=:80
      - --entrypoints.websecure.address=:443


      
      - --certificatesresolvers.cloudflare.acme.dnschallenge=true
      - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
      - --certificatesresolvers.cloudflare.acme.email=e@mail.com
      - --certificatesresolvers.cloudflare.acme.storage=/letsencrypt/acme.json

      # multiple domain config
      - --entryPoints.websecure.http3.advertisedPort=433
      - --entryPoints.websecure.http.tls.certResolver=cloudflare
      - --entryPoints.websecure.http.tls.domains[0].main=a.com
      - --entryPoints.websecure.http.tls.domains[0].sans=*.a.com
      - --entryPoints.websecure.http.tls.domains[1].main=b.com
      - --entryPoints.websecure.http.tls.domains[1].sans=*.b.com
    ports:
      - 80:80
      - 443:443
      - 8079:8080
    environment:
      - CF_API_EMAIL=e@mail.com
      - CF_DNS_API_TOKEN=<mytoken>
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /home/server/app-data/traefik/letsencrypt:/letsencrypt
      - /home/server/app-data/traefik/extra-providers:/extra-providers
      - /home/server/app-data/traefik/logs/:/logs/
    restart: unless-stopped

    labels:
      traefik.enable: true
      traefik.docker.network: traefik_network
      traefik.http.routers.traefik.rule: Host(`traefik.lan`)
      traefik.http.routers.traefik.entrypoints: web
      traefik.http.services.traefik.loadbalancer.server.port: 8080
      traefik.http.middlewares.authentik.forwardauth.address: http://authentik_server:9000/outpost.goauthentik.io/auth/traefik
      traefik.http.middlewares.authentik.forwardauth.trustForwardHeader: true
      traefik.http.middlewares.authentik.forwardauth.authResponseHeaders:
        X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid,X-authentik-jwt,X-authentik-meta-jwks,X-authentik-meta-outpost,X-authentik-meta-provider,X-authentik-meta-app,X-authentik-meta-version

networks:
  auth: null
  traefik_network:
    external: true

Dynamic configuration.yaml

http:
  routers:
    pihole:
      entryPoints: web
      rule: Host(`pihole.lan`)
      service: pihole
    pufferpanel:
      entryPoints: websecure
      rule: Host(`panel.a.com`)
      service: pufferpanel
      tls:
        certResolver: cloudflare
  services:
    pihole:
      loadBalancer:
        servers:
          - url: http://ip
    pufferpanel:
      loadBalancer:
        servers:
          - url: http://ip:8080

Docker compose of the test application (the only difference with another simple application is the 'host' which is elsewhere filled in to 'a'):

version: '3'
services:
  web:
    image: nginx:latest
    ports:
      - 1234:443
    volumes:
      - /home/server/app-data/b-test:/usr/share/nginx/html
    networks:
      - traefik_network
    labels:
      traefik.enable: true
      traefik.docker.network: traefik_network
      traefik.http.routers.b.rule: Host(`b.com`)
      traefik.http.routers.b.entrypoints: websecure
      traefik.http.routers.b.tls.certresolver: cloudflare

networks:
  auth: null
  traefik_network:
    external: true

If you need anything else. Please let me know!

4

Enable and check Traefik debug log (doc) and Traefik access log in JSON format (doc).

Are requests arriving at Traefik? Is 404 returned from target service (OriginStatus)?

5

From what i see in the 'access.log', request are in fact arriving at traefik since it registers entries trying to reach that domain. the 404 page is the default 404 page i see from traefik insself. I'm not sure if they are returned from the target service. How can i check?

access.log:

{"ClientAddr":"172.71.182.40:9998","ClientHost":"172.71.182.40","ClientPort":"9998","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":11665,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":11665,"RequestAddr":"b.com","RequestContentSize":0,"RequestCount":20,"RequestHost":"b.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"StartLocal":"2024-11-21T18:11:56.789547646Z","StartUTC":"2024-11-21T18:11:56.789547646Z","entryPointName":"web","level":"info","msg":"","time":"2024-11-21T18:11:56Z"}

{"ClientAddr":"172.71.182.40:9998","ClientHost":"172.71.182.40","ClientPort":"9998","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":12394,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":12394,"RequestAddr":"b.com","RequestContentSize":0,"RequestCount":21,"RequestHost":"b.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"StartLocal":"2024-11-21T18:11:57.117985025Z","StartUTC":"2024-11-21T18:11:57.117985025Z","entryPointName":"web","level":"info","msg":"","time":"2024-11-21T18:11:57Z"}

{"ClientAddr":"172.71.182.40:9998","ClientHost":"172.71.182.40","ClientPort":"9998","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":11485,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":11485,"RequestAddr":"b.com","RequestContentSize":0,"RequestCount":22,"RequestHost":"b.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"StartLocal":"2024-11-21T18:11:57.272432999Z","StartUTC":"2024-11-21T18:11:57.272432999Z","entryPointName":"web","level":"info","msg":"","time":"2024-11-21T18:11:57Z"}

{"ClientAddr":"172.71.182.40:9998","ClientHost":"172.71.182.40","ClientPort":"9998","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":13239,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":13239,"RequestAddr":"b.com","RequestContentSize":0,"RequestCount":23,"RequestHost":"b.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"StartLocal":"2024-11-21T18:11:57.476039399Z","StartUTC":"2024-11-21T18:11:57.476039399Z","entryPointName":"web","level":"info","msg":"","time":"2024-11-21T18:11:57Z"}

traefik.log stuff i could find regarding domain 'b':


{"level":"debug","time":"2024-11-21T18:11:44Z","caller":"github.com/traefik/traefik/v3/pkg/tls/certificate.go:132","message":"Adding certificate for domain(s) b.com"}

{"level":"debug","time":"2024-11-21T18:11:44Z","caller":"github.com/traefik/traefik/v3/pkg/tls/certificate.go:132","message":"Adding certificate for domain(s) *.b.com,audiobooks.a.com"}

{"level":"debug","providerName":"cloudflare.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"cloudflare.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"b@docker","rule":"Host(`b.com`)","time":"2024-11-21T18:11:45Z","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:445","message":"Trying to challenge certificate for domain [b.com] found in HostSNI rule"}

{"level":"debug","providerName":"cloudflare.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"cloudflare.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"b@docker","rule":"Host(`b.com`)","time":"2024-11-21T18:11:45Z","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:915","message":"Looking for provided certificate(s) to validate [\"b.com\"]..."}

{"level":"debug","providerName":"cloudflare.acme","acmeCA":"https://acme-v02.api.letsencrypt.org/directory","providerName":"cloudflare.acme","ACME CA":"https://acme-v02.api.letsencrypt.org/directory","routerName":"b@docker","rule":"Host(`b.com`)","domains":["b.com"],"time":"2024-11-21T18:11:45Z","caller":"github.com/traefik/traefik/v3/pkg/provider/acme/provider.go:959","message":"No ACME certificate generation required for domains"}

{"level":"debug","entryPointName":"websecure","routerName":"b@docker","serviceName":"web-b-test@docker","time":"2024-11-21T18:11:45Z","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:318","message":"Creating load-balancer"}

{"level":"debug","entryPointName":"websecure","routerName":"b@docker","serviceName":"web-b-test@docker","serverName":"d030470e77acbcd1","target":"http://10.99.11.7:80","time":"2024-11-21T18:11:45Z","caller":"github.com/traefik/traefik/v3/pkg/server/service/service.go:355","message":"Creating server"}

{"level":"debug","providerName":"docker","config":{"http":{"routers":{"b":{"entryPoints":["websecure"],"service":"web-b-test","rule":"Host(`b.com`)","tls":{"certResolver":"cloudflare"} -> later in this line "web-b-test":{"loadBalancer":{"servers":[{"url":"http://10.99.11.7:80"}],"passHostHeader":true,"responseForwarding":{"flushInterval":"100ms"}}}
6

so the target service is not returning the http error status.

This looks strange, plain nginx has TLS?

    ports:
      - 1234:443

Maybe try to set the target port via Traefik labels.

7

For the originStatus indeed it looks like the traefik instance itself is returning this and not a service underneath.

The weird thing about that docker compose is that if i only change the 'host' field to Host(a.com) it immediatly works, no hassle at all. I did try to set the ports via labels but to no avail...

8

I think I found the issue: You try to access b.com with http, but it only matches on https/ websecure.

{"ClientAddr":"172.71.182.40:9998","ClientHost":"172.71.182.40","ClientPort":"9998","ClientUsername":"-","DownstreamContentSize":19,"DownstreamStatus":404,"Duration":13239,"GzipRatio":0,"OriginContentSize":0,"OriginDuration":0,"OriginStatus":0,"Overhead":13239,"RequestAddr":"b.com","RequestContentSize":0,"RequestCount":23,"RequestHost":"b.com","RequestMethod":"GET","RequestPath":"/","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"http","RetryAttempts":0,"StartLocal":"2024-11-21T18:11:57.476039399Z","StartUTC":"2024-11-21T18:11:57.476039399Z","entryPointName":"web","level":"info","msg":"","time":"2024-11-21T18:11:57Z"}
9

I noticed that too! But whenever i try to acces b.com using http and set the service to web, i also don't get a match. The tries you see there, are done with either Safari or Brave, and both were tried with 'https' and 'http'.