SSL breaks routing?

solidcloudio · July 30, 2019, 11:59pm

If I use this configuration with http, everything works OK:

[entryPoints]
  [entryPoints.dashboard]
    address = ":8030" 
  
  [entryPoints.http]
   address = ":8029"

If I change it to use HTTPS/TLS like this:

[entryPoints]
  [entryPoints.dashboard]
    address = ":8030" 
  
  [entryPoints.https]
   address = ":8029"
   [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "certs/mfx-servicefabric.crt"
      keyFile = "certs/mfx-servicefabric.key"

The correct certificate shows up in the browser using https://myserver:8029/whatever...

But now all the routing fails... All requests return 404.

What gives, how can I troubleshoot this further.?

With the TLS in place the access log says "backend not found" while with http it routed ok..

dduportal · July 31, 2019, 10:12am

Hi, there is an example here: https://docs.traefik.io/v1.7/user-guide/examples/#http-https-with-sni.

TL;DR; you have to add the httpsentrypoint you created to the list of default entrypoints:

# traefik.toml file
defaultEntryPoints = ["http", "https"]

[entryPoints]
  [entryPoints.dashboard]
    address = ":8030" 
  
  [entryPoints.https]
   address = ":8029"
# (...)

By default, the top-level directive (that must be on top of the traefik.toml file to avoid issues like https://github.com/containous/traefik/issues/5163) defaultEntryPoints is only set to http.

In the example you gave below, by changing the name of the entrypoint to https, then it's not part of the default entrypoints anymore. Hence the need to add it.

Alternatively, you can define the entrypoints of a specific service by using labels/annotations. In your case it would be traefik.frontend.entryPoints=http,https (as described in https://docs.traefik.io/v1.7/configuration/backends/servicefabric/#available-labels).

Let us know the result?

solidcloudio · July 31, 2019, 2:40pm

Thanks for the reply.. So, I am using the default entry points as you outlined in my TOML file.

# Entrypoints to be used by frontends that do not specify any entrypoint.
defaultEntryPoints = ["http", "https"]

As far as the labels go in the help doc:

traefik.frontend.entryPoints=http,https	
-Assign this frontend to entry points http and https.
-Overrides defaultEntryPoints

Doesnt seem like I need that, I'm not trying to override the defaults...

With my current config, the dashboard doesnt show http or https as an entry point and the services just ouright fail onn 8029...

So In the context of using the service Fabric provider, how much of the configuration is read from the TOML file and how much is used from the provider?

I can’t ever see how it’s really configured. Are they combined? Overridden? Can I call the api to see the configuration at runtime? This is a big question that might have big implications for my configuration..

Here is my traefik.toml in its entirety:

################################################################
# Global configuration
################################################################

# Enable debug mode
#
# Optional
# Default: false
#
debug = true

# Traefik logs file
# If not defined, logs to stdout
#
# Optional
# 
[traefiklog]
filePath = "log/traefik.log"
format = "json"

# Log level
#
# Optional
# Default: "ERROR"

logLevel = "DEBUG"

# Entrypoints to be used by frontends that do not specify any entrypoint.
# Each frontend can specify its own entrypoints.
#
# Optional
# Default: ["http"]
#
defaultEntryPoints = ["http", "https"]

# Entrypoints definition
#
# Optional
# Default:
[entryPoints]
  [entryPoints.dashboard]
    address = ":8030" 
	 [entryPoints.https]
   address = ":8029"
   [entryPoints.https.tls]
      [[entryPoints.https.tls.certificates]]
      certFile = "certs/mfx-servicefabric.crt"
      keyFile = "certs/mfx-servicefabric.key" 
#	[entryPoints.https.tls.clientCA]
#        files = ["certs/gdroot-g2.crt"]
#        optional = false


# Enable access logs
# By default it will write to stdout and produce logs in the textual
# Common Log Format (CLF), extended with additional fields.
#
# Optional
#
[accessLog]

# Sets the file path for the access log. If not specified, stdout will be used.
# Intermediate directories are created if necessary.
#
# Optional
# Default: os.Stdout
#
filePath = "log/accesslog.txt"

# Format is either "json" or "common".
#
# Optional
# Default: "common"
#
format = "common"

################################################################
# API definition
################################################################

[api]
  entryPoint = "dashboard"
  dashboard = true
  debug = true

################################################################
# Service Fabric provider
################################################################

# Enable Service Fabric configuration backend
[serviceFabric]

# Service Fabric Management Endpoint
clusterManagementUrl = "https://localhost:19080"
# Note: use "https://localhost:19080" if you're using a secure cluster

# Service Fabric Management Endpoint API Version
apiVersion = "3.0"

refreshSeconds = 10

# Enable TLS connection.
#
# Optional
#
[serviceFabric.tls]
  cert = "certs/localClusterCert-rte.crt"
  key = "certs/localClusterCert-rte.key"
  insecureskipverify = true

UseCertificateAuth    =  true
ClientCertFilePath    = "certs/localClusterCert-rte.crt"
ClientCertKeyFilePath = "certs/localClusterCert-rte.key"
InsecureSkipVerify    =  true

daniel.tomcej · July 31, 2019, 4:48pm

Hello @solidcloudio,

logLevel and defaultEntryPoints are not subkeys of [traefiklog].

Please try this:

 # Global configuration

debug = true
defaultEntryPoints = ["http", "https"]
logLevel = "DEBUG"

[traefiklog]
filePath = "log/traefik.log"
format = "json"

solidcloudio · July 31, 2019, 5:40pm

github.com

jjcollinge/traefik-on-service-fabric/blob/master/Traefik/ApplicationPackageRoot/TraefikPkg/Code/traefik.toml

################################################################
# Global configuration
################################################################

# Enable debug mode
#
# Optional
# Default: false
#
debug = true

# Traefik logs file
# If not defined, logs to stdout
#
# Optional
# 
# [traefiklog]
# filePath = "log/traefik.log"

# Log level

This file has been truncated. show original

So If I uncomment the logging, it breaks this entire configuration ? You can easily see how I got into this state..

It never seems clear in the TOML where a section starts and ends.. You are saying that everything "global" has to go at the top of the file? once you add a key, its enabled for that section of the doc until it finds another key?

daniel.tomcej · July 31, 2019, 5:44pm

Toml ignores whitespace, so this is correct. Everything starts with a key or a table, and only ends when another is defined.

This is correct. In Traefik v2, we created a [global] table to help prevent this sort of issue.

Please see Commons | Traefik | v1.7
for the full list of global configurations that to be used must be defined at the beginning of the toml file.

solidcloudio · July 31, 2019, 5:52pm

OK, thats nice to know.. It seems my Frontends show up with https in the dashboard now.. the https seems to work, now i guess i need to figure out my routing rules in another thread..

thanks for help on this one..

Topic		Replies	Views
HTTP to HTTPs redirect not working Traefik v2 (latest) file , middleware	1	66	March 20, 2024
Routers only on websecure entrypoint by default Traefik v2 (latest) file	4	6690	December 8, 2020
HTTPS Redirection Default Traefik v2 (latest) docker , middleware	2	419	May 21, 2020
Migrate Traefik HTTPS backend Traefik v2 (latest) docker	5	1865	November 27, 2020
Issue with SSL Certificate and Redirection in Traefik Docker Compose Setup Traefik v2 (latest) docker	1	754	August 26, 2023

SSL breaks routing?

Related Topics