Problem with WSS to WS on the same port as https

Traefik Traefik v2
1

Hello!
I set up a docker compose with a traefik proxy, and a tomcat spring application, with websocket.
The ws working with a localhost tomcat, its working with the mapped ports, but nor working with the traefik:
the config:

  reverse-proxy:
    image: traefik:v2.10
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--api.insecure=false"
      - "--api.dashboard=true"  
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.websecure.forwardedHeaders.insecure=false"
      - "--entryPoints.websecure.proxyProtocol.insecure=false"
      - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7"
      - "--entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7"
      - "--entrypoints.web.address=:80"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=ignis.veneficus@gmail.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_HOST}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect.redirectscheme.permanent=true"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.wss.protocol=https"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ${ROOT_PATH}/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped

for the webapp:

  mud:
    image: tomcat:9-jdk8-corretto
    container_name: javamud
    restart: unless-stopped
    volumes:
      - "${MUD_PATH}/data:/usr/local/tomcat/webapps"
      - "${MUD_PATH}/conf:/usr/local/tomcat/conf"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mud.entrypoints=websecure"
      - "traefik.http.routers.mud.rule=Host(`${MUD_HOST}`)"
      - "traefik.http.routers.mud.tls.certresolver=myresolver"
      - "traefik.http.services.mud.loadbalancer.server.port=8080"
      - "traefik.http.services.mud.loadbalancer.passHostHeader=true"
    ports:
      - "8092:8080"

The WSS closing by error 1006, the traefik log:

traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/server HTTP/1.1" 403 0 "-" "-" 154 "mud@docker" "http://192.168.101.10:8080" 8ms

And its working if I connect to directy to the host via port 8092 (with http, and ws)

I think I miss one or more setting.
I did heavy googling but nothing helps.
Thanx

Csaba

2

Does http://${MUD_HOST} and ws://${MUD_HOST} work with Traefik?

And https://${MUD_HOST} and wss://${MUD_HOST} does not?

Enable Traefik access log in JSON format, to see if 403 is coming from Traefik (DownstreamStatus) or the application (OriginStatus).

3

http://${MUD_HOST} is working, i get the static page from it:

traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/ HTTP/2.0" 200 9894 "-" "-" 138 "mud@docker" "http://192.168.101.10:8080" 46ms
traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/static/css/main.css HTTP/2.0" 200 6804 "-" "-" 142 "mud@docker" "http://192.168.101.10:8080" 16ms
traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/static/css/ansi.css HTTP/2.0" 200 1616 "-" "-" 141 "mud@docker" "http://192.168.101.10:8080" 17ms
traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/static/font/DejaVu.css HTTP/2.0" 200 1346 "-" "-" 139 "mud@docker" "http://192.168.101.10:8080" 19ms

I will check the json log, and after come back
Thanx

4

So: no luck:
I set the log into file, and json format:

      - "--log.level=DEBUG"
      - "--log.format=json"
      - "--log.filePath=/traefik.log/traefik.log"

I have lots of logs about setting up the system, and than stopping, but between nothing, I have traffic log in old format at the docker std out as before.
Thanx

5

Enable Traefik access log in JSON format, to see if 403 is coming from Traefik (DownstreamStatus) or the application (OriginStatus).

Doc

6

Sorry my bad. I set up the access log:

The response come from the application: OriginStatus is 403.
So: The traefik used an https->http change and its working fine for the static elements.
The WS is working for direct connection (http+ws on host:8092). I think some header elements left in the request on the application.

{"ClientAddr":"xxxx:53833","ClientHost":"xxx","ClientPort":"53833","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":403,"Duration":4803130,"OriginContentSize":0,"OriginDuration":4759391,"OriginStatus":403,"Overhead":43739,"RequestAddr":"xxxx","RequestContentSize":0,"RequestCount":289,"RequestHost":"xxxx","RequestMethod":"GET","RequestPath":"/javaMud3/server","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"RouterName":"mud@docker","ServiceAddr":"192.168.101.12:8080","ServiceName":"mud@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"192.168.101.12:8080","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-04-19T12:39:05.780075469Z","StartUTC":"2024-04-19T12:39:05.780075469Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2024-04-19T12:39:05Z"}

If I know what is different in the request when I call thru traefik and directly I can google for the spring framework.

Thanx