Passthrough=true kills other routes

Cory · November 25, 2022, 11:45pm

I am trying to set up a HTTP/HTTPS catch-all for any undefined domain to NGINX Proxy Manager. HTTP is working great, but lots of tissues on the HTTPS side.

To keep traefik from passing its default cert through I enabled passthrough, but that instantly kills communication on the other defined routers. I wouldn't expect a rule in one router to be able to affect the rule in another, so I am missing a key concept somewhere.

version: '3.3'
services:
  nginx:
    image: 'jc21/nginx-proxy-manager:latest'
    restart: unless-stopped

#    ports:
#      - '880:80'
#      - '82:81'
 #     - '4443:443'
    environment:
      DISABLE_IPV6: 'true'
      NGINX_HOST: nginx.moderncaveman.us
    volumes:
      - data:/data
      - ssl:/etc/letsencrypt
  
    deploy:
      mode: replicated
      replicas: 1
      labels:
      #Reverse Proxy SSL for Nginx Dashboard
      - "traefik.enable=true"
      - "traefik.http.routers.nginx.rule=Host(`nginx.moderncaveman.us`)"
      - "traefik.http.routers.nginx.entrypoints=websecure,web"
      - "traefik.http.routers.nginx.tls=true"
      - "traefik.http.routers.nginx.tls.certresolver=letsencrypt"
      - "traefik.http.routers.nginx.service=nginx"
      - "traefik.http.services.nginx.loadbalancer.server.port=81"
      #Catch all traffic on Port 80 for Nginx Proxy Manager
 
      - 'traefik.http.routers.http-catchall.rule=hostregexp(`{host:.+}`)'
      - 'traefik.http.routers.http-catchall.entrypoints=web'
      - "traefik.http.routers.http-catchall.priority=1"
      - "traefik.http.services.http-catchall.loadBalancer.server.port=80"
      - "traefik.http.routers.http-catchall.service=http-catchall"

      #Catch all traffic on Port 443 for Nginx Proxy Manager
      - 'traefik.http.routers.httpscatchall.rule=hostregexp(`{host:https.+}`)'
      - 'traefik.http.routers.httpscatchall.entrypoints=websecure'
      - "traefik.http.routers.httpscatchall.tls=true"
#      - 'traefik.tcp.routers.httpscatchall.tls.passthrough=true' <--- Kills the other two routes above
      - "traefik.http.routers.httpscatchall.priority=2"
      - "traefik.http.services.httpscatchall.loadBalancer.server.port=443"
      - "traefik.http.services.httpscatchall.loadbalancer.server.scheme=https"
      - "traefik.http.routers.httpscatchall.service=httpscatchall"
      #Proxy Network
#      - "traefik.docker.network=proxy"
    networks:
      - traefik_public
      
volumes:
    data:
        driver_opts:
            type: nfs 
            o: addr=192.168.40.91,nfsvers=4
            device: :/volume2/docker-pool/nginx2/data
    ssl:
        driver_opts:
            type: nfs 
            o: addr=192.168.40.91,nfsvers=4
            device: :/volume2/docker-pool/nginx2/ssl

networks:
  traefik_public:
    external: true

The logs will indicate the port cannot be found after uncommenting passthrough

{"container":"nginx2-nginx-4ghwh7ut4us8ufzo3u7i83dxi","level":"error","msg":"service \"nginx2-nginx\" error: port is missing","providerName":"docker","time":"2022-11-25T17:49:30-06:00"}

bluepuma77 · November 26, 2022, 6:53am

passthrough is a feature of the TCP router, not of the http router. And the TCP router will not check http requests to route by host.

You probably switch the whole router to TCP when setting the option. Note the traefik.tcp in your line.

Cory · November 26, 2022, 6:06pm

Ahh, I noticed the contradiction but had seen a number of other samples mixing them and figured it somehow worked out.

I switched the routers for SSL to TCP, and that indeed stopped it from crashing the other routers, but now it is complaining my regexp rule is invalid, which isn't a surprise because I don't speak regex. I am also seeing that perhaps it needs to be a SNI rule, but I can't figure out the proper syntax for a catchall for that.

{"entryPointName":"websecure","level":"error","msg":"invalid rule: \"hostregexp(`{host:.+}`)\" , unsupported function: hostregexp","routerName":"httpscatchall@docker","time":"2022-11-26T11:57:16-06:00"}

Here is the latest config

      #Catch all traffic on Port 443 for Nginx Proxy Manager
      - 'traefik.tcp.routers.httpscatchall.rule=hostregexp(`{host:.+}`)'
      - 'traefik.tcp.routers.httpscatchall.entrypoints=websecure'
      - "traefik.tcp.routers.httpscatchall.tls=true"
      - 'traefik.tcp.routers.httpscatchall.tls.passthrough=true'
      - "traefik.tcp.routers.httpscatchall.priority=1"
      - "traefik.tcp.services.httpscatchall.loadBalancer.server.port=443"
#      - "traefik.tcp.services.httpscatchall.loadbalancer.server.scheme=https"
      - "traefik.tcp.routers.httpscatchall.service=httpscatchall"

Cory · November 26, 2022, 6:12pm

Success! It seemed to simply be a wildcard statement.

      - 'traefik.tcp.routers.httpscatchall.rule=HostSNI(`*`)'

Can't thank you enough for your help here, and my other thread. You're awesome!

system · November 29, 2022, 6:12pm

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
HTTPS TLS Passthrough Traefik v2 (latest) docker	1	11967	October 14, 2021
Impossible to passthrough tls Traefik v2 (latest) docker	4	804	August 2, 2023
Tls.passthrough with cert possible? Traefik v2 (latest) docker	2	472	October 31, 2023
TLS passthrough for HTTP router Traefik v2 (latest) docker , file	9	4638	May 10, 2023
Do not route tls passthrough to backend service with docker provider Traefik v2 (latest) docker	13	1652	August 1, 2023

Passthrough=true kills other routes

Related Topics