Problems after implementing Traefik with OpenAPI Site

Traefik Traefik v2 (latest)
1

Hi,

Currently I've found Traefik solves a bunch of problems and is a great help in my projects.

Nowdays I have a project with FastAPI (Python) which handle everything to generate an OpenAPI site to review and test the endpoints of the API.

I'd like to know why since I've deployed the site using Traefik, the authentication for the OpenAPI is returning " auth error TypeError: NetworkError when attempting to fetch resource." inside of the login, since I've applied the configuration to start the endpoints through Traefik this is what I've noticed.

image
image652×596 36 KB

The authentication in my application outside the OpenAPI site seems to work fine as the endpoint I use to authenticate works from the outside (testing with the my web and mobile application and Postman).

This is my docker-compose configuration for Traefik

services:
  traefik:
    image: traefik:v2.3
    ports:
      - 80:80
      - 443:443
    restart: always
    labels:
      - traefik.enable=true
      - traefik.http.services.traefik-dashboard.loadbalancer.server.port=8080
      - traefik.http.routers.traefik-dashboard-http.entrypoints=http
      - traefik.http.routers.traefik-dashboard-http.rule=Host(`myserver.com`)
      - traefik.docker.network=traefik-public
      - traefik.http.routers.traefik-dashboard-https.entrypoints=https
      - traefik.http.routers.traefik-dashboard-https.rule=Host(`myserver.com`)
      - traefik.http.routers.traefik-dashboard-https.tls=true
      - traefik.http.routers.traefik-dashboard-https.tls.certresolver=le
      - traefik.http.routers.traefik-dashboard-https.service=api@internal
      - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
      - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
      - traefik.http.routers.traefik-dashboard-http.middlewares=https-redirect
      - traefik.http.middlewares.admin-auth.basicauth.users=${USERNAME?Variable not set}:${HASHED_PASSWORD? Variable not set}
      - traefik.http.routers.traefik-dashboard-https.middlewares=admin-auth
    volumes:
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - traefik-public-certificates:/certificates
    command:
      - --providers.docker
      - --providers.docker.exposedbydefault=true
      - --entrypoints.http.address=:80
      - --entrypoints.https.address=:443
      - --certificatesresolvers.le.acme.email=my@email.com
      - --certificatesresolvers.le.acme.storage=/certificates/acme.json
      - --certificatesresolvers.le.acme.tlschallenge=true
      - --accesslog
      - --log
      - --api
    networks:
      - traefik-public

volumes:
  traefik-public-certificates:

networks:
  traefik-public:
    external: true

and this is my api docker-compose configuration for the FastAPI server

version: '3.8'
services:
    api:
        build: ./
        image: fastapi-base:latest
        volumes:
            - type: bind
              source: .
              target: /app/
        restart: always
        labels:
          - traefik.enable=true
          - traefik.http.services.app.loadbalancer.server.port=80
          - traefik.http.routers.app-http.entrypoints=http
          - traefik.http.routers.app-http.rule=Host(`myserver.com`)
          - traefik.docker.network=traefik-public
          - traefik.http.routers.app-https.entrypoints=https
          - traefik.http.routers.app-https.rule=Host('myserver.com')
          - traefik.http.routers.app-https.tls=true
          - traefik.http.routers.app-https.tls.certresolver=le
          - traefik.http.middlewares.https-redirect.redirectscheme.scheme=https
          - traefik.http.middlewares.https-redirect.redirectscheme.permanent=true
          - traefik.http.routers.app-http.middlewares=https-redirect
          - traefik.http.routers.app-https.middlewares=admin-auth



        networks:
          - traefik-public

networks:
  traefik-public:
    external: true

Special thanks to @tiangolo to help us understand better Traefik by sharing your knowledge in Youtube.

Best regards,
Claudio.

2

One of the things that I've noticed is that the error code is returning now is:

TypeError: NetworkError when attempting to fetch resource.

I'll update the post

3

One thing I've noticed is the responses:

This is the process from the endpoint by using Postman

traefik_1  | 17.24.4.3 - - [20/May/2022:04:59:33 +0000] "POST /token HTTP/1.1" 307 0 "-" "-" 12 "app-https@docker" "http://172.20.0.2:80" 1ms
traefik_1  | 17.24.4.3 - - [20/May/2022:04:59:33 +0000] "POST /token/ HTTP/1.1" 308 18 "-" "-" 13 "app-http@docker" "-" 0ms
traefik_1  | 17.24.4.3 - - [20/May/2022:04:59:34 +0000] "POST /token/ HTTP/1.1" 200 226 "-" "-" 14 "app-https@docker" "http://172.20.0.2:80" 357ms

This is the messages calling the endopint in the Authentication function of OpenAPI, seems the 308 and the 200 doesn't pops up

traefik_1  | 17.24.4.3 - - [20/May/2022:04:59:42 +0000] "POST /token HTTP/2.0" 307 0 "-" "-" 15 "app-https@docker" "http://172.20.0.2:80" 2ms

Sorry but I don't have a solution yet but I'll keep moving forward.

4

I've found that I was missing something inside the calls I see from the web browser. Seems when the OpenAPI web page is used to perform the login it is attempting to do it through http instead of https. After that I receive this message:

Firefox:
Blocked loading mixed active content “http://fmx-doc-qa.plenussoftware.com/token/”

Chrome:
Mixed Content: The page at 'https://server.com/docs' was loaded over HTTPS, but requested an insecure resource 'http://server.com/token/'. This request has been blocked; the content must be served over HTTPS.

I see this more related to OpenAPI (Swagger) instead of Traefik, but if there is a workaround someone should know it will be great to know.

5

I've found this interesting post, I'll follow it and reply back here for the community: