I am trying to tighten the security of my nodeRed instance to use HTTPS & SSO on my internal network. Traefik already protects it from the internet.
I updated NodeRed to use the same cert that Traefik gets from LetsEncrypt and can call the site successfully using this curl command
curl -v --resolve noderedsecuredinternal.my.domain:1882:192.168.1.185 https://noderedsecuredinternal.my.domain:1882/
When I direct traefik to call this service - it uses the IP address and fails with no IP SANS. I think I have to use the serversTransports option in my settings file, but I don't see how the relationship between the service and the serversTransports option should be made.
The documentation has far too many instance of the word foobar
!
Here is my noderedsecured.yml file:
http:
# Add the router
routers:
noderedsecured:
entryPoints:
- websecure
service: noderedsecured
rule: Host(`noderedsecured.my.domain`)
tls:
certResolver: leresolver
domains:
- main: my.domain
sans:
- "*.my.domain"
serversTransports:
mytransport:
serverName: noderedsecured.my.domain
# Add the service
services:
noderedsecured:
loadBalancer:
servers:
- url: https://192.168.1.185:1882
serversTransport: mytransport
passHostHeader: true
On starting this, I can see no evidence that the serversTransports stanza is used - there are no matches in the Traefik log with debug enabled. The Traefik 2.4 Services Dashboard does not show it either.
Calling the website https://noderedsecured.my.domain/
results in Internal Server Error
The log shows
traefik | time="2021-02-16T11:01:40+01:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Te\":[\"trailers\"],\"Uber-Trace-Id\":[\"61f6eebec51c3239:017dd20ea86289dd:61f6eebec51c3239:1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\"],\"X-Forwarded-Host\":[\"noderedsecured.my.domain\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"d5b140edb228\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"noderedsecured.my.domain\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:63763\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="https://192.168.1.185:1882"
traefik | time="2021-02-16T11:01:40+01:00" level=debug msg="'500 Internal Server Error' caused by: x509: certificate signed by unknown authority"
I was getting no IP SANS but the latest error us now x509: certificate signed by unknown authority
. Is this progressing or regressing?
Are there additional debugging or tracing steps that will help me progress this issue?
Steve