Before
Your connection to this site is not secure
The site does not have a certificate.
Since the connection is not secure, information (such as passwords or credit cards) will not be sent securely to this site and could be intercepted or viewed by others.
After
La connessione è sicura
Questo sito ha un certificato valido, emesso da un'autorità attendibile.
Le informazioni (ad esempio le password o le carte di credito) verranno inviate in modo sicuro a questo sito e non possono essere intercettate.
Assicurati sempre di essere nel sito desiderato prima di immettere informazioni.
Maybe you don't see the problem because you hit 'cancel' and you get to the '401 Unauthorized' page. The 401 page has a valid certificate. As you type your credentials the certificate is not valid.
Does your site have this problem too or just mine?
I do not hit cancel. When the password dialog is open, I see working TLS. When I get to the site with user/pass, I see working TLS.
I am using Mac with Firefox. Maybe just switch your browser. I think your browser is just showing sh*# (sorry).
Alternatively you can use tools like Wireshark (open-source) to really look into the TCP/IP traffic going from your PC to your server. It will show you which connections use TLS.
1 Like
If I change browser and operating system, I don't notice any changes. Before entering the credentials, the browser does not receive a valid certificate.
Windows
Linux
Apple
Maybe the browser is just not showing the TLS icon in the bar because it hasn’t really loaded a page. Browser tried loading page, but got a 401 response, so no content, nothing to display, credentials are needed. So it will only open a user/pass dialog.
Please check in the browser’s developer tools‘ network tab for the real requests/responses.
1 Like
It is possible but the browser is asking me for credentials without having a valid certificate in its pocket. This fact is important and cannot be overlooked. My credentials are not safe. If your thesis were correct, the problem would remain. Traefik should redirect to https, provide the certificate and only then ask for the credentials instead it does the exact opposite, first asking for the credentials and then providing the certificate. It seems obvious to me. Could you answer my following 2 questions?
Question 1
Is this problem only on my site or are you also experiencing this behavior on your sites?
Question 2
In your opinion:
1 - Traefik has a bug and the 2 codes (the one with Docker Swarm and the one without) are written correctly and can't be improved to fix this bug;
2 - Codes can be improved.
When I access your server (without user/pass,) I can see that TLS is working:
# curl -v 'https://traefik.federicogalimberti.tk/dashboard/'
* Trying 34.230.181.213:443...
* Connected to traefik.federicogalimberti.tk (34.230.181.213) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_128_GCM_SHA256
* ALPN, server accepted to use h2
* Server certificate:
* subject: CN=traefik.federicogalimberti.tk
* start date: Dec 11 11:34:56 2022 GMT
* expire date: Mar 11 11:34:55 2023 GMT
* subjectAltName: host "traefik.federicogalimberti.tk" matched cert's "traefik.federicogalimberti.tk"
* issuer: C=US; O=Let's Encrypt; CN=R3
* SSL certificate verify ok.
* Using HTTP2, server supports multi-use
* Connection state changed (HTTP/2 confirmed)
* Copying HTTP/2 data in stream buffer to connection buffer after upgrade: len=0
* Using Stream ID: 1 (easy handle 0x557eb1eea160)
> GET /dashboard/ HTTP/2
> Host: traefik.federicogalimberti.tk
> user-agent: curl/7.74.0
> accept: */*
>
* TLSv1.3 (IN), TLS handshake, Newsession Ticket (4):
* Connection state changed (MAX_CONCURRENT_STREAMS == 250)!
< HTTP/2 401
< content-type: text/plain
< www-authenticate: Basic realm="traefik"
< content-length: 17
< date: Mon, 12 Dec 2022 08:46:04 GMT
<
401 Unauthorized
Answer 1: I get the same request/response from both servers.
Answer 2: If you open a bug ticket, do so with the browsers giving you an insecure impression.
If you still feel unsure, 1) check the network tab of your browser, 2) use WireShark to check the TCP/IP connections, 3) check behaviour with a different server with TLS & auth, e.g. nginx-proxy.
1 Like
How do I open a bug ticket?
Open Microsoft Edge and click on ...->Help and feedback->Send feedback and report the issue.
1 Like
Ah OK! I did not understand. I don't think the problem is due to the browser, also because all browsers on all operating systems do not get the certificate when writing the credentials. I think the problem is Traefik (bad code or bug). On Apple, Windows and Linux, with Chrome, Firefox, Edge and Opera, when I type the credentials the browser does not write that I am using a secure https protocol connection and at that juncture my credentials can be intercepted.
How about another round of show-me-your-TLS-icon, this time with nginx 
https://test-nginx-htpasswd.twilightparadox.com/
user: test
pass: password
Howto
apt-get install apache2-utils
mkdir -p ./htpasswd
htpasswd -c /root/htpasswd/test-nginx-htpasswd.twilightparadox.com test
docker run --detach \
--name nginx-proxy \
--publish 80:80 \
--publish 443:443 \
--volume certs:/etc/nginx/certs \
--volume vhost:/etc/nginx/vhost.d \
--volume html:/usr/share/nginx/html \
--volume /var/run/docker.sock:/tmp/docker.sock:ro \
--volume /root/htpasswd:/etc/nginx/htpasswd \
nginxproxy/nginx-proxy
docker run --detach \
--name nginx-proxy-acme \
--volumes-from nginx-proxy \
--volume /var/run/docker.sock:/var/run/docker.sock:ro \
--volume acme:/etc/acme.sh \
--env "DEFAULT_EMAIL=mail@test-nginx-htpasswd.twilightparadox.com" \
nginxproxy/acme-companion
docker run --detach \
--name your-proxied-app \
--env "VIRTUAL_HOST=test-nginx-htpasswd.twilightparadox.com" \
--env "LETSENCRYPT_HOST=test-nginx-htpasswd.twilightparadox.com" \
nginx
1 Like
This time it was nginx as reverse proxy, not Traefik.
I still think it is just bad wording, as network tab and curl clearly show TLS is working.
1 Like
It could also be a limitation of these tools. I remain of the opinion that it is a bug.
I agree, the wording is wrong, consider it a bug. But the wording comes from the browser.
On a technical side, the browser fetches the page (with TLS), gets an error 401 (not authorized), closes the connection. Then it shows the login dialog to the user and when entered, opens a new connection (with TLS and user/pass). You can see that in the network tab.
2 Likes
