ServersTransports setting is being ignored

Traefik Traefik v3 (latest)
1

I've been trying to set serversTransports but from the traefik.log it seems its not taking effect but I believe I have correctly configured. I don't know if this configuration is not meant to be shown on the traefik.log or if I'm doing something wrong.

My setup is a typical website with a few backends that needs the reverse proxy to provide a client certificate to upstream, although insecureSkipVerify is set to true so traefik won't need to validate the connection. I'm currently testing of an local environment so I don't have the downstream configurations on it.

I'm able to curl to my back end from traefik's container: curl --cert /run/secrets/gateway_cert --key /run/secrets/gateway_cert_key --cacert /run/secrets/ca_pem --http2 https://core_api:5021/core-api/healthcheck it gives me a correct response.

The error that I'm getting is "tls: failed to verify certificate: x509: certificate is valid for ..." as if traefik is trying to validate the connection. It appears as " 500 Internal Server Error" in the front end.

here it is the compose file:

services:
  traefik:
    image: traefik:v3.1
    command:
      - "--api.dashboard=true"
      - "--providers.docker=true"
      - "--entrypoints.web.address=:9091"
      - "--entrypoints.web.address=:9091/core-api"
      - "--entrypoints.web.address=:9091/auth-api"
    secrets:
      - ca_pem
      - gateway_cert
      - gateway_cert_key
    ports:
      - "9091:9091"  # Custom port for HTTP
      - "8080:8080"  # Traefik Dashboard
    volumes:
      - "/var/run/docker.sock:/var/run/docker.sock"
      - "./traefik.yml:/etc/traefik/traefik.yml"
    labels:
      - "traefik.http.services.gateway.loadbalancer.server.scheme=https"
      - "traefik.http.services.gateway.loadbalancer.server.certificateauthorityfile=/run/secrets/ca_pem"
  
  website:
    image: champ_web
    environment:
      - RELEASE_NAME=0
      - APP_VERSION=1
    networks:
      default:
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.website.entrypoints=website"
      - "traefik.http.routers.website.rule=Host(`localhost`)"

  auth_api:
    image: auth_api:latest
    environment: 
      ASPNETCORE_ENVIRONMENT: Release
    secrets:
      - gateway_pfx
      - service_pfx
      - service_pfx_password
    volumes:
      - auth_keys:/auth_keys
    labels:
      - "com.docker.compose.volume.access=rw"
      - "traefik.enable=true"
      - "traefik.http.routers.auth_api.rule=Host(`localhost`) && PathPrefix(`/auth-api`)"
      - "traefik.http.services.auth_api.loadbalancer.server.port=5011"
      - "traefik.http.services.auth_api.loadbalancer.server.scheme=https"
      
  core_api:
    image: core_api:latest
    environment: 
      ASPNETCORE_ENVIRONMENT: Release
      RELEASE_NAME: test
    secrets:
      - gateway_pfx
      - core_pfx
      - core_pfx_password
    volumes:
      - core_keys:/core_keys
    labels:
      - "com.docker.compose.volume.access=rw"
      - "traefik.enable=true"
      - "traefik.http.routers.core_api.rule=Host(`localhost`) && PathPrefix(`/core-api`)"
      - "traefik.http.services.core_api.loadbalancer.server.port=5021"
      - "traefik.http.services.core_api.loadbalancer.server.scheme=https"

and the traefik yml file:

api:
  dashboard: true
  insecure: true

log:
  level: DEBUG
  filePath: "/var/log/traefik.log"

accessLog:
  filePath: "/var/log/access.log"

entryPoints:
  website:
    address: ":9091"

services:
  core_api:
    loadBalancer:
      servers:
        - url: https://core_api:5021
          serversTransport: gatewayTransport
  auth_api:
    loadBalancer:
      servers:
        - url: https://auth_api:5011
          serversTransport: gatewayTransport

http:
  serversTransports:
    gatewayTransport:
      insecureSkipVerify: true
      rootCAs:
        - /run/secrets/ca_pem
      certificates:
        certFile: /run/secrets/gateway_cert     # Gateway's client certificate
        keyFile: /run/secrets/gateway_cert_key        # Gateway's client key

providers:
  docker:
    endpoint: "unix:///var/run/docker.sock"
    exposedByDefault: false
2

You can’t mix static config in traefik.yml and command:, choose one (doc).

Routers and services need to be defined in dynamic config, either in dynamic config file loaded via providers.file or in labels loaded via providers.docker.

3

Thank you for you reply bluepuma77. I've removed the static configuration and successfully established HTTP connections with the upstream service. However, HTTPS is still not functioning. The documentation only provides instructions for setting certificate and key files in static configurations, which doesn't seem to be a straightforward process using labels. I've tried two approaches that I thought would be logical, but neither worked. Please refer to the code below for details.


    services:
      traefik:
        image: traefik:v3.1
        command:
          - "--api.dashboard=true"
          - "--api.insecure=true"
          - "--providers.docker=true"
          - "--providers.docker.exposedbydefault=false"
          - "--entrypoints.web.address=:9091"
          - "--log.level=debug"
          - "--log.filepath=/var/log/traefik.log"
          - "--accessLog.filepath=/var/log/access.log"
          - "--serverstransport.insecureSkipVerify=true"
          - "--serverstransport.rootcas=/run/secrets/ca_pem"
          # - "--providers.docker.tls.cert=/run/secrets/gateway_cert"
          # - "--providers.docker.tls.key=/run/secrets/gateway_cert_key"
        secrets:
          - ca_pem
          - gateway_cert
          - gateway_cert_key
        ports:
          - "9091:9091"  # Custom port for HTTP
          - "8080:8080"  # Traefik Dashboard
        volumes:
          - "/var/run/docker.sock:/var/run/docker.sock"
        labels:
          - "traefik.enable=true"
          # - "http.serversTransports.gatewayTransport.certificates.certFile=/run/secrets/gateway_cert"
          # - "http.serversTransports.gatewayTransport.certificates.keyFile=/run/secrets/gateway_cert_key"

then reference the certificate on the service containers with:

- "traefik.http.services.auth_api.loadbalancer.server.serversTransport=gatewayTransport"
4

Check the dynamic reference for Docker (doc), if serversTransport is supported.

Not all options are supported by providers.docker, some are only available with providers.file.

5

Thank you bluepuma77, I was able to set the upstream's mtls with file provider.

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.