I want to use a backend (server) on version 2.0, that uses a self-signed certificate. How can I configure this with labels or cli? the option --serverstransport.insecureskipverify=true does not seem to work...when I call the service over traeffik with the port provided for ssl on the backend I only see: Internal server error. What am I doing wrong?
I'm having the same issue. I've attempted to add docker.tls.insecureSkipVerify=true
but then that just makes all of my containers return a 404.
Figured it out. you need serverTransports.insecureSkipVerify = true
Nope...the flag alone dosn't skip the problem...as I mentioned above, i only get internal server error
could provide more information: docker-compose file, traefik files, command line, ...
some-container
labels:
- "traefik.enable=true"
- "traefik.http.routers.code.rule=host(`somehost`)"
- "traefik.http.routers.code.entrypoints=web"
- "traefik.http.routers.code.middlewares=redirect"
- "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
- "traefik.http.middlewares.redirect.redirectscheme.permanent=true"
# SSL-Section
- "traefik.http.routers.code2.rule=Host(`somehost`)"
- "traefik.http.routers.code2.entrypoints=web-secure"
- "traefik.http.routers.code2.tls=true"
- "traefik.http.services.openhab.loadBalancer.server.port=8443"
- "traefik.http.services.openhab.loadbalancer.passhostheader=true"
# Basic-Auth-Section
- "traefik.http.routers.code2.middlewares=auth"
- "traefik.http.middlewares.auth.basicauth.users=user:somepass
traefik:
hostname: traefik
container_name: traefik
image: traefik:latest
restart: always
command:
- "--providers.docker=true"
- "--providers.docker.exposedbydefault=false"
- "--entryPoints.web.address=:80"
- "--entryPoints.web-secure.address=:443"
- "--global.sendAnonymousUsage=false"
- "--serverstransport.insecureskipverify=true"
ports:
- "80:80"
- "443:443"
volumes:
- /var/run/docker.sock:/var/run/docker.sock:ro
- /home/etc/traefik
Everything works when i use a non-ssl backend...as soon as I attach a backend with selfsigned ssl-certificates, ist shows internal server error...
I agree with @ bd8392
I have basically the same problem trying to add a reverse proxy with traefik for my Unifi Controller.
There is no way to remove the http->https redirection on Unifi and it generates a default custom certificate.
In order to add a reverse, I need to set my traefik service scheme as https and ignore the certificate, which at this point is not possible afaik.
If you have any ideas...
@zaggash as was mentioned before the answer is:
Here is an example. In order to demostrate a service with self-signed cert, we need an image that exposes one. I could not think of a better example than traefik dashboard itself, but any other image with self-signed cert would do. In the example below we have two traefik instances, one is main instance and the other just an example of a service with a self signed cert.
docker-compose.yaml:
version: "3"
services:
# This is second traefik instance, that we use as an example
# of site that serves a self-signed certificate
# In theory any site that serves a self-signed certificate would do
dashboard:
image: traefik:v2.0.1
# This is so we can validate externally (in browser or with curl
# & openssl) that the site is up and that the cert is self-signed
# This is not required for example to run
ports:
- "8443:443"
command:
# listen on 443
- --entryPoints.websecure.address=:443
# serve dashboard
- --api
# load dynamic config from a file
- --providers.file.filename=/dashboard.toml
# note, docker provider is not enabled for this one, since the purpose
# of this container to to be traefik but just a random web site with
# a self signed cert
volumes:
- "./dashboard.toml:/dashboard.toml"
# These labels are read by the _main_ traefik instance, not this one
labels:
# expose this via main traefik instance
- "traefik.enable=true"
# all requests should match
- "traefik.http.routers.dashboard.rule=PathPrefix(`/`)"
# web is the only entry point main traefik instance defines
- "traefik.http.routers.dashboard.entrypoints=web"
# We need to let traefik know port and url scheme
# we are doing that via service
- "traefik.http.routers.dashboard.service=dashboard"
# This is the port traefik will forward requests to
- "traefik.http.services.dashboard.loadbalancer.server.port=443"
# And this is so it knows that the requests will be TLS
- "traefik.http.services.dashboard.loadbalancer.server.scheme=https"
# And this is the main traefik instance
traefik:
image: traefik:v2.0.1
ports:
# Let's keep it simple, no TLS
- "80:80"
command:
- --entryPoints.web.address=:80
# this is so that traefik does not try to expose itself
- --providers.docker.exposedByDefault=false
- --log.level=DEBUG
# if you omit this you will get the "Internal Server Error" due to
# the self-signed certificate
- --serverstransport.insecureskipverify=true
volumes:
- /var/run/docker.sock:/var/run/docker.sock
and dashboard.toml:
[http.routers.dashboard]
entryPoints = ["websecure"]
service = "api@internal"
rule = "PathPrefix(`/`)"
[http.routers.dashboard.tls]
Without - --serverstransport.insecureskipverify=true
you will get Internal Server Error
on the page and
level=debug msg="'500 Internal Server Error' caused by: x509: cannot validate certificate for 192.168.48.3 because it doesn't contain any IP SANs"
In the debug log.
With - --serverstransport.insecureskipverify=true
it works.
At https://host:8443
you can see the internal website with self signed cert, and at http://host
it's explosed via traefik.
If you add the self-signed certificate as a CA e.g.
- --serverstransport.rootcas=/ca.pem
You can avoid the insecureskipverify
you just need to make the file accessible by traefik example
volumes:
- /d/p/trajano.net/devops-ca-R2.crt:/ca.pem
Here's the relevant chunk from Trajano base Docker swarm stacks
Figured it out! The insecureskipverify works when using this label at the container you want to expose:
- "traefik.http.services.dashboard.loadbalancer.server.scheme=https"
so you have to use insecureskipverify=true AND the label. Thanks for your help!
Thanks, I'm gonna try this next time =)
I was just checking why you had scheme
but I didn't recall doing it on my final stack. It turns out I was using TCP routing, I think that also does TLS certificate checks as well when I did the TLS section https://docs.traefik.io/v2.0/routing/routers/#tls_1
Thanks a lot, I was actually confused between the "redirectscheme.scheme=https" from my middleware catch-all and the "loadbalancer.server.scheme=https"
It tricked my mind
Getting the same issue only in kubernetes, any ideas ?
Thanks
Same answer only in kubernetes, i guess?