[Solved] Reverse Proxy with https backend not working

Hi,

I'm trying to use Traefik to route to a non docker server with an selfsigned https certificate.
toml:

[file]

[frontends]
 [frontends.mail]
  backend = "mail"
  passHostHeader = true
   [frontends.mail.routes]
    [frontends.mail.routes.route0]
     rule = "Host:xxx.test.net"
   [frontends.mail.auth.forward.tls]
    insecureSkipVerify = true

[backends]
 [backends.mail]
  [backends.mail.auth.forward.tls]
   insecureSkipVerify = true
  [backends.mail.servers]
   [backends.mail.servers.server0]
    url = "https://xxx.int.test.net"
    weight = 1

Now I get the error message from Traefik:

"Error calling . Cause: Get : unsupported protocol scheme """

any hint? I can't find an example with a https backend...

Hello,

This section is related to forward-authentication

Then the insecureSkipVerify apply on the authentication and not on the frontend.

It's not a valid section: forward-authentication only exists on frontends and entry points.

https://docs.traefik.io/v1.7/configuration/backends/file/#reference

I think that a error come because you activated the forward-authentication, then you have to remove the related section.

Hi,

thanks for your reply, I deleted the backend section (the tls part) but the error remains the same, no change.
I deleted the TLS part in the forward section and then the error changes to

'500 Internal Server Error' caused by: x509: certificate signed by unknown authority

This is in my case expected because of the self signed cert...
any other ideas?

sorry to bump this up but really no one has an idea how to reverse proxy to a backend with a self signed cert?

This is because, indeed, your certificate is signed by an unknown authority.

You need to skip certificate verification to allow Traefik to connect with that certificate.

The insecureSkipVerify configuration will do just this, however please note that it disables verification for all connections, not just for one server.

https://docs.traefik.io/v1.7/configuration/commons/#main-section

thanks, I was aware of that issue with the self signed cert, but if I use the insecureSkipVerify option the error changes to

"Error calling . Cause: Get : unsupported protocol scheme """

No idea how to solve that

Hello @cybermcm,

Can you please provide the toml you are currently using, as it seems you have made some modifications from previously posted code snippets.

Thanks!

thx for taking a look @daniel.tomcej
I tried different URLs for backend, FQDN and hostname only, same error

[file]

[frontends]
 [frontends.mail]
  backend = "mail"
  passHostHeader = true
   [frontends.mail.routes]
    [frontends.mail.routes.route0]
     rule = "Host:mail.xyz.net"
   [frontends.mail.auth.forward.tls]
    insecureSkipVerify = true

[backends]
 [backends.mail]
  [backends.mail.servers]
   [backends.mail.servers.server0]
    url = "https://s003"
    weight = 1

level=debug msg="Error calling . Cause: Get : unsupported protocol scheme """

The reason you are seeing this error message:

Is because you have enabled forward authentication, but have not provided it a URL to forward the request to. Hence, the empty scheme in the error.

[frontends]
 [frontends.mail]
  backend = "mail"
  passHostHeader = true
   [frontends.mail.routes]
    [frontends.mail.routes.route0]
     rule = "Host:mail.xyz.net"
   [frontends.mail.auth.forward.tls] # <-----
    insecureSkipVerify = true # <----- Missing address

An example of what we mean would be this:

insecureSkipVerify = true

[file]

[frontends]
 [frontends.mail]
  backend = "mail"
  passHostHeader = true
   [frontends.mail.routes]
    [frontends.mail.routes.route0]
     rule = "Host:mail.xyz.net"

[backends]
 [backends.mail]
  [backends.mail.servers]
   [backends.mail.servers.server0]
    url = "https://s003"
    weight = 1

As the insecureSkipVerify is a Global setting, not per-frontend or backend.

You solved my puzzle!! The setting has to be put in as global setting, didn't notice that.
Many thanks, now it is working!