Problem with WSS to WS on the same port as https

Hello!
I set up a docker compose with a traefik proxy, and a tomcat spring application, with websocket.
The ws working with a localhost tomcat, its working with the mapped ports, but nor working with the traefik:
the config:

  reverse-proxy:
    image: traefik:v2.10
    container_name: "traefik"
    command:
      - "--log.level=DEBUG"
      - "--accesslog=true"
      - "--api.insecure=false"
      - "--api.dashboard=true"  
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.websecure.address=:443"
      - "--entryPoints.websecure.forwardedHeaders.insecure=false"
      - "--entryPoints.websecure.proxyProtocol.insecure=false"
      - "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7"
      - "--entryPoints.websecure.proxyProtocol.trustedIPs=10.0.0.0/8,172.16.0.0/16,192.168.0.0/16,fc00::/7"
      - "--entrypoints.web.address=:80"
      - "--certificatesresolvers.myresolver.acme.tlschallenge=true"
      - "--certificatesresolvers.myresolver.acme.email=ignis.veneficus@gmail.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.traefik.rule=Host(`${TRAEFIK_HOST}`)"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.middlewares.redirect.redirectscheme.scheme=https"
      - "traefik.http.middlewares.redirect.redirectscheme.permanent=true"
      - "traefik.http.middlewares.sslheader.headers.customrequestheaders.X-Forwarded-Proto=https"
      - "traefik.wss.protocol=https"
    ports:
      - "80:80"
      - "443:443"
    volumes:
      - ${ROOT_PATH}/letsencrypt:/letsencrypt
      - /var/run/docker.sock:/var/run/docker.sock
    restart: unless-stopped

for the webapp:

  mud:
    image: tomcat:9-jdk8-corretto
    container_name: javamud
    restart: unless-stopped
    volumes:
      - "${MUD_PATH}/data:/usr/local/tomcat/webapps"
      - "${MUD_PATH}/conf:/usr/local/tomcat/conf"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.mud.entrypoints=websecure"
      - "traefik.http.routers.mud.rule=Host(`${MUD_HOST}`)"
      - "traefik.http.routers.mud.tls.certresolver=myresolver"
      - "traefik.http.services.mud.loadbalancer.server.port=8080"
      - "traefik.http.services.mud.loadbalancer.passHostHeader=true"
    ports:
      - "8092:8080"

The WSS closing by error 1006, the traefik log:

traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/server HTTP/1.1" 403 0 "-" "-" 154 "mud@docker" "http://192.168.101.10:8080" 8ms

And its working if I connect to directy to the host via port 8092 (with http, and ws)

I think I miss one or more setting.
I did heavy googling but nothing helps.
Thanx

Csaba

Does http://${MUD_HOST} and ws://${MUD_HOST} work with Traefik?

And https://${MUD_HOST} and wss://${MUD_HOST} does not?

Enable Traefik access log in JSON format, to see if 403 is coming from Traefik (DownstreamStatus) or the application (OriginStatus).

http://${MUD_HOST} is working, i get the static page from it:

traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/ HTTP/2.0" 200 9894 "-" "-" 138 "mud@docker" "http://192.168.101.10:8080" 46ms
traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/static/css/main.css HTTP/2.0" 200 6804 "-" "-" 142 "mud@docker" "http://192.168.101.10:8080" 16ms
traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/static/css/ansi.css HTTP/2.0" 200 1616 "-" "-" 141 "mud@docker" "http://192.168.101.10:8080" 17ms
traefik   | 192.168.xxx.xxx - - [18/Apr/2024:17:34:58 +0000] "GET /javaMud3/static/font/DejaVu.css HTTP/2.0" 200 1346 "-" "-" 139 "mud@docker" "http://192.168.101.10:8080" 19ms

I will check the json log, and after come back
Thanx

So: no luck:
I set the log into file, and json format:

      - "--log.level=DEBUG"
      - "--log.format=json"
      - "--log.filePath=/traefik.log/traefik.log"

I have lots of logs about setting up the system, and than stopping, but between nothing, I have traffic log in old format at the docker std out as before.
Thanx

Enable Traefik access log in JSON format, to see if 403 is coming from Traefik (DownstreamStatus) or the application (OriginStatus).

Doc

Sorry my bad. I set up the access log:

The response come from the application: OriginStatus is 403.
So: The traefik used an https->http change and its working fine for the static elements.
The WS is working for direct connection (http+ws on host:8092). I think some header elements left in the request on the application.

{"ClientAddr":"xxxx:53833","ClientHost":"xxx","ClientPort":"53833","ClientUsername":"-","DownstreamContentSize":0,"DownstreamStatus":403,"Duration":4803130,"OriginContentSize":0,"OriginDuration":4759391,"OriginStatus":403,"Overhead":43739,"RequestAddr":"xxxx","RequestContentSize":0,"RequestCount":289,"RequestHost":"xxxx","RequestMethod":"GET","RequestPath":"/javaMud3/server","RequestPort":"-","RequestProtocol":"HTTP/1.1","RequestScheme":"https","RetryAttempts":0,"RouterName":"mud@docker","ServiceAddr":"192.168.101.12:8080","ServiceName":"mud@docker","ServiceURL":{"Scheme":"http","Opaque":"","User":null,"Host":"192.168.101.12:8080","Path":"","RawPath":"","OmitHost":false,"ForceQuery":false,"RawQuery":"","Fragment":"","RawFragment":""},"StartLocal":"2024-04-19T12:39:05.780075469Z","StartUTC":"2024-04-19T12:39:05.780075469Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","entryPointName":"websecure","level":"info","msg":"","time":"2024-04-19T12:39:05Z"}

If I know what is different in the request when I call thru traefik and directly I can google for the spring framework.

Thanx