Struggling with serversTransports in YML config file

stevegroom · February 16, 2021, 10:15am

I am trying to tighten the security of my nodeRed instance to use HTTPS & SSO on my internal network. Traefik already protects it from the internet.

I updated NodeRed to use the same cert that Traefik gets from LetsEncrypt and can call the site successfully using this curl command

curl -v --resolve noderedsecuredinternal.my.domain:1882:192.168.1.185 https://noderedsecuredinternal.my.domain:1882/

When I direct traefik to call this service - it uses the IP address and fails with no IP SANS. I think I have to use the serversTransports option in my settings file, but I don't see how the relationship between the service and the serversTransports option should be made.

The documentation has far too many instance of the word foobar !

Here is my noderedsecured.yml file:

http:
  # Add the router
  routers:
    noderedsecured:
      entryPoints:
      - websecure
      service: noderedsecured
      rule: Host(`noderedsecured.my.domain`)
      tls:
        certResolver: leresolver
        domains:
        - main: my.domain
          sans:
          - "*.my.domain"


  serversTransports:
    mytransport:
      serverName: noderedsecured.my.domain

  # Add the service
  services:
    noderedsecured:
      loadBalancer:
        servers: 
        - url: https://192.168.1.185:1882 
        serversTransport: mytransport
        passHostHeader: true

On starting this, I can see no evidence that the serversTransports stanza is used - there are no matches in the Traefik log with debug enabled. The Traefik 2.4 Services Dashboard does not show it either.

Calling the website https://noderedsecured.my.domain/ results in Internal Server Error

The log shows

traefik                 | time="2021-02-16T11:01:40+01:00" level=debug msg="vulcand/oxy/roundrobin/rr: Forwarding this request to URL" Request="{\"Method\":\"GET\",\"URL\":{\"Scheme\":\"\",\"Opaque\":\"\",\"User\":null,\"Host\":\"\",\"Path\":\"/\",\"RawPath\":\"\",\"ForceQuery\":false,\"RawQuery\":\"\",\"Fragment\":\"\",\"RawFragment\":\"\"},\"Proto\":\"HTTP/2.0\",\"ProtoMajor\":2,\"ProtoMinor\":0,\"Header\":{\"Accept\":[\"text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\"],\"Accept-Encoding\":[\"gzip, deflate, br\"],\"Accept-Language\":[\"en-US,en;q=0.5\"],\"Cache-Control\":[\"max-age=0\"],\"Te\":[\"trailers\"],\"Uber-Trace-Id\":[\"61f6eebec51c3239:017dd20ea86289dd:61f6eebec51c3239:1\"],\"Upgrade-Insecure-Requests\":[\"1\"],\"User-Agent\":[\"Mozilla/5.0 (Macintosh; Intel Mac OS X 10.16; rv:85.0) Gecko/20100101 Firefox/85.0\"],\"X-Forwarded-Host\":[\"noderedsecured.my.domain\"],\"X-Forwarded-Port\":[\"443\"],\"X-Forwarded-Proto\":[\"https\"],\"X-Forwarded-Server\":[\"d5b140edb228\"],\"X-Real-Ip\":[\"xxx.xxx.xxx.xxx\"]},\"ContentLength\":0,\"TransferEncoding\":null,\"Host\":\"noderedsecured.my.domain\",\"Form\":null,\"PostForm\":null,\"MultipartForm\":null,\"Trailer\":null,\"RemoteAddr\":\"xxx.xxx.xxx.xxx:63763\",\"RequestURI\":\"/\",\"TLS\":null}" ForwardURL="https://192.168.1.185:1882"
traefik                 | time="2021-02-16T11:01:40+01:00" level=debug msg="'500 Internal Server Error' caused by: x509: certificate signed by unknown authority"

I was getting no IP SANS but the latest error us now x509: certificate signed by unknown authority. Is this progressing or regressing?

Are there additional debugging or tracing steps that will help me progress this issue?

Steve

jojejoby · October 24, 2022, 10:01am

Hi @stevegroom I am facing a similar issue, were you able to get past the error.

Can you also please share how the serversTransports needs to be configured and refereed.

I have the following configuration

Traefik.toml

#General
[api]  
    dashboard = true

[metrics]
  [metrics.prometheus]

[ping]

[log]
  level = "DEBUG"
  filepath = "/traefik/logs/traefik/traefik.log"
  format = "json"

[accessLog]
  filePath = "/traefik/logs/access/access.log"
  bufferingSize = 10

# Allows Traefik to skip the SSL Certificate verification on HTTPS Globally
# Note : Traefik documentation doesn't specify that this configuration needs to be 
# backed with the below label on the service
# - traefik.http.services.nifi-flow.loadbalancer.server.scheme=https

[serversTransport]
  insecureSkipVerify = false

# Allows Traefik to skip the SSL Certificate verification on HTTPS for a specific service

[http.serversTransports.nifiui]
  serverName = "mynifi"
  insecureSkipVerify = true

#ENTRYPOINTS

[entryPoints]
  [entryPoints.web]
    address = ":80"    
    [entryPoints.web.http]
      [entryPoints.web.http.redirections]
        [entryPoints.web.http.redirections.entryPoint]
          to = "websecure"
          scheme = "https"  

  [entryPoints.websecure]
    address = ":443"
    [entryPoints.websecure.forwardedHeaders]
      trustedIPs = ["<IP_Address>"] # f5
    [entryPoints.websecure.http.tls]

  [entryPoints.apiDashboard]
    address = ':70000'
    

#MIDDLEWARES
[http.middlewares]
  [http.middlewares.test-retry.retry]
     attempts = 4
  [http.middlewares.https-redirectscheme.redirectScheme]
    scheme = "https"
    permanent = true

#TLS
[[tls.certificates]]
  certFile = "/folder/cert.cer"
  keyFile = "/folder/cert.key"


#PROVIDERS
[providers]
  providersThrottleDuration = 2
  [providers.docker]
    watch = true
    endpoint = "unix:///var/run/docker.sock"
    exposedByDefault = true
    swarmMode = true
    swarmModeRefreshSeconds = 15
    network = "traefik_webgateway"
  [providers.file]
    filename = "/etc/traefik/traefik.toml"
    watch = true

Docker-Compose.yml

version: "3.7"
services:
    nifi:
        user: root
        hostname: mynifi
        image: apache/nifi:latest
        restart: on-failure
        environment:
            - NIFI_WEB_HTTPS_PORT=8443
            - NIFI_WEB_PROXY_HOST=$DOCKER_HOST_URL:443
            - NIFI_WEB_PROXY_CONTEXT_PATH=/
            - SINGLE_USER_CREDENTIALS_USERNAME=<username>
            - SINGLE_USER_CREDENTIALS_PASSWORD=<password>
            - NIFI_SECURITY.AUTORELOAD.ENABLED=true
        volumes:
            - nifi_database_repository:/opt/nifi/nifi-current/database_repository
            - nifi_flowfile_repository:/opt/nifi/nifi-current/flowfile_repository
            - nifi_content_repository:/opt/nifi/nifi-current/content_repository
            - nifi_provenance_repository:/opt/nifi/nifi-current/provenance_repository
            - nifi_state:/opt/nifi/nifi-current/state
            - nifi_logs:/opt/nifi/nifi-current/logs
            - nifi_conf:/opt/nifi/nifi-current/conf
        networks:
            - traefik_webgateway
        deploy:
            labels:
                # traefik
                - traefik.enable=true
                - "traefik.docker.lbswarm=true"
                # service
                - traefik.http.services.nifi-flow.loadbalancer.server.port=8443
                - traefik.http.services.nifi-flow.loadbalancer.server.scheme=https
                - "traefik.http.services.nifi-flow.loadBalancer.serversTransport:nifiui"
                # middlewares
                - "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyScheme=https"
                - "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyHost=$DOCKER_HOST_URL"
                - "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyPort=443"
                - "traefik.http.middlewares.nifi-headers.headers.customRequestHeaders.X-ProxyContextPath:/"
                # Routers
                - traefik.http.routers.nifi-flow.middlewares=nifi-headers
                - traefik.http.routers.nifi-flow.service=nifi-flow
                - traefik.http.routers.nifi-flow.entrypoints=$TRAEFIK_HTTPS_ENTRYPOINT
                - traefik.http.routers.nifi-flow.tls=true
                - traefik.http.routers.nifi-flow.rule=Host(`$DOCKER_HOST_URL`) && PathPrefix(`/nifi`)
            restart_policy:
                condition: on-failure
                delay: 120s
                max_attempts: 3
                window: 60s
networks:
  traefik_webgateway:
    external: true
      
volumes:
  nifi_conf: {external: true}
  nifi_database_repository: {external: true}
  nifi_flowfile_repository: {external: true}
  nifi_content_repository: {external: true}
  nifi_provenance_repository: {external: true}
  nifi_state: {external: true}
  nifi_logs: {external: true}

stevegroom · October 24, 2022, 4:37pm

Looks like you shared a password with the rest of the world - go and change that before someone else does!!

jojejoby · October 25, 2022, 8:24am

Thanks @stevegroom its a dummy userid and pwd, I have redacted it now

Topic		Replies	Views
serversTransports serverName not working when Traefik runs in Container Traefik v2 (latest) docker	5	1098	October 26, 2022
ServerTransport and insecureSkipVerify specific hosts Traefik v2 (latest) docker , file	2	2173	September 21, 2022
"servers transport not found" Traefik v2 (latest) docker	3	2378	August 23, 2021
Problem using ssl Backend with selfsigned certificates Traefik v2 (latest) docker	15	28209	May 1, 2020
Proxy traffic to service via HTTPS Traefik v2 (latest) file	3	431	January 13, 2023

Struggling with serversTransports in YML config file

Related Topics