Properly Specifying a Static Service using File Provider

Traefik Traefik v2 (latest)
, ,
1

I have a swarm with Traefik and other services. I have a docker-compose container in the same network, but not in the swarm (as it requires privileged access). Nevertheless, I can ping that container from Traefik. As the service it outside the swarm, I am trying to configure it as a static service, using the file provider. As far as I can understand, I should be quite near the proper solution. But I am getting a "Service Unavailable". Some insights are welcome.

Follows my toml configuration.

[http]
  [http.routers]
    [http.routers.foo]
      rule = "Host(`foo.bar.com`)"
      service = "foo"
      middlewares = ["https-redirect"]
      entryPoints = ["http"]

    [http.routers.foo-https]
      rule = "Host(`foo.bar.com`)"
      entryPoints = ["https"]
      service = "foo"
      [http.routers.foo-https.tls]
        certResolver = "le"


  [http.services]
    [http.services.foo]
      [http.services.foo.loadBalancer]
        passHostHeader = true
        [[https.services.foo.loadBalancer.servers]]
          #port = 443
          #scheme = "https"
          url = "https://foo_container:443"

  [http.middlewares]
    [http.middlewares.https-redirect.redirectScheme]
      scheme = "https"
      permanent = true
2

Hi @ambs

You have the overlay network created as attachable and the singleton container attached to that network?

3

Hi, @cakiwi .
Yes, I have. As I said, I am able to ping the container from inside the bash of Traefik container.
Also, just for testing, I tried to use the IP directly on the URL, and it still didn't work.
To be sure the request wasn't being rejected by the service, I tried to wget it from a temporary container, and it is answering and logging. When I try to access the domain through Traefik, the service doesn't log any request.
Thanks for any help,
Alberto

4

This is fishy. Http on port 443?

5

Hi
Yeah, you are correct. Unfortunately that is not the problem. I did test a lot of combinations, and I didn't notice that I was posting a stupid approach. As you can see, I even have two lines commented for port and scheme.
My current attempt is with https and port specified, as updated in the original message.
Thank you

6

Is the cert presented by foo_container signed by a public CA?

7

No, it is not.
In any case, I have this in the static config:

[serversTransport]
insecureSkipVerify=true

Not sure if I need something more.

8

No I think that should cover it.

Anything in the trafik logs? Turned it up to debug?

9

Hi,
Sorry for the delay. Just wanted to be sure before answering, as I've tested that before, but did not take note of the exact message.

I am getting only the access log:

traefik_traefik.1.t6oixgxfcmfr@xxx    | 10.11.0.4 - - [17/Mar/2021:15:10:50 +0000] "GET / HTTP/2.0" 503 19 "-" "-" 3 "foo-https@file" "-" 0ms

I have only this:

[log]
 level="DEBUG"

Not sure there is anything more I can turn on to keep debugging.
Thank you

10

Yes, that is it. I would recommend json format for the accesslogs, as there is more information in it, such as Origin Response. You can add it to the CLF format logs too if you wish.

You could try insecureSkipVerify option at the service level too.

11

I think this is not helping much...

{
   "ClientAddr":"10.11.0.4:53894",
   "ClientHost":"10.11.0.4",
   "ClientPort":"53894",
   "ClientUsername":"-",
   "DownstreamContentSize":19,
   "DownstreamStatus":503,
   "Duration":265197,
   "OriginContentSize":19,
   "OriginDuration":50590,
   "OriginStatus":503,
   "Overhead":214607,
   "RequestAddr":"xxx.foo.com",
   "RequestContentSize":0,
   "RequestCount":1,
   "RequestHost":"xxx.foo.com",
   "RequestMethod":"GET",
   "RequestPath":"/",
   "RequestPort":"-",
   "RequestProtocol":"HTTP/2.0",
   "RequestScheme":"https",
   "RetryAttempts":0,
   "RouterName":"foo-https@file",
   "StartLocal":"2021-03-17T20:55:07.001853432Z",
   "StartUTC":"2021-03-17T20:55:07.001853432Z",
   "entryPointName":"https",
   "level":"info",
   "msg":"",
   "time":"2021-03-17T20:55:07Z"
}
12

Setting insecureSkipVerify at the service level did not help, too.
Is there any other trick I can use debug this properly?

13

Well that certainly looks to me like the 503 is coming from the origin. Its not liking something that is coming from traefik. Is the service expecting a certain SNI ?

14

Sorry for my ignorance, what is a SNI? I tried googling, but I didn't understand it properly.

Just for reference, I was using traefik without swarm mode, and this service was working. As now I am putting traefik in swarm, and the service from a compose, I can't use the same configuration (labels in the service).

These were my labels when the system was running without swarm mode (and it worked):

    labels:
        traefik.enable: true
        traefik.docker.network: traefik-public
        traefik.constraint-label: traefik-public
        traefik.http.routers.xxx-http.rule: Host(`xxx.foo.com`)
        traefik.http.routers.xxx-http.entrypoints: http
        traefik.http.routers.xxx-http.middlewares: https-redirect
        traefik.http.routers.xxx-https.rule: Host(`xxx.foo.com`)
        traefik.http.routers.xxx-https.entrypoints: https
        traefik.http.routers.xxx-https.tls: true
        traefik.http.routers.xxx-https.tls.certresolver: le
        traefik.http.services.xxx.loadbalancer.server.port: 443
        traefik.http.services.xxx.loadbalancer.server.scheme: https
15

From inside traefik docker container:

/ # wget -S https://foo:443/
Connecting to foo:443 (10.0.7.136:443)
ssl_client: foo: certificate verification failed: self signed certificate
wget: error getting response: Connection reset by peer

And I get this logged into foo log.
Thus, I still suspect something is wrong on Traefik side...

1 Like
16

I find curl better for this.

curl -k -i https://foo

It is strange that changing it to swarm would result in this difference.

17

Taefik busybox doesn't include curl, as far as I could go.

18

FYI apk -u add curl

If I get a moment I'll try a similar setup this weekend. What kind of container is the standalone serving https?

1 Like
19

Ooops, I could have shared that before. With the masking of the URLs forgot to specify that.
It is Pritunl VPN server (that requires privileged access, and thus, can't be run under swarm).

Sharing here the static config too, in case I am doing some mistake there:

[log]
 #level="DEBUG"
 #format = "json"

[accessLog]
 #format = "json"

[serversTransport]
insecureSkipVerify=true

[providers]
  [providers.docker]
   swarmMode = true
   watch = true
   exposedByDefault = false
   constraints = "Label(`traefik.constraint-label`, `traefik-public`)"
  [providers.file]
    filename = "/etc/traefik/dynamic.toml"

[api]
dashboard = true

[entryPoints]
   [entryPoints.http]
   address = ":80"

   [entryPoints.https]
   address = ":443"

[certificatesResolvers]
  [certificatesResolvers.le]
    [certificatesResolvers.le.acme]
    email = "alberto@xxx.com"
    storage = "/certificates/acme.json"
      [certificatesResolvers.le.acme.tlsChallenge]