TLS Handshake error

Traefik Traefik v2
1

I had a working wordpress configuration until I added LE SSL encryption.

Reviewing traaefik logs I found:

msg="http: TLS handshake error from 104.237.147.18:61000: EOF"

Since LE SSL is working on single tier static pages web1, web2 and whoami I am assuming that for some reason traefik wants wants encryption between webserver, database and PHP.

How do I correct this internal communication error.

version: "3.3"

services:
  traefik:
    image: "traefik:v2.10"
    container_name: "traefik"

    labels:
      - "traefik.enable=true"
      - "traefik.http.middlewares.auth.basicauth.users=user1:$$.........,user2:$$.........."
      - "traefik.http.routers.traefik.rule=Host(`traefik.MyDomain.com`)"
      - "traefik.http.routers.traefik.service=api@internal"
      - "traefik.http.routers.traefik.middlewares=auth"
      - "traefik.http.routers.traefik.entrypoints=websecure"
      - "traefik.http.routers.traefik.tls.certresolver=myresolver"

    command:
      - "--api.dashboard=true"
      - "--log.level=DEBUG"
      #- "--api.insecure=true"
      - "--providers.docker=true"
      - "--providers.docker.exposedbydefault=false"
      - "--entrypoints.web.address=:80"
      - "--entrypoints.websecure.address=:443"
      - "--certificatesresolvers.myresolver.acme.dnschallenge=true"
      - "--certificatesresolvers.myresolver.acme.dnschallenge.provider=cloudflare"
      #- "--certificatesresolvers.myresolver.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.myresolver.acme.email=postmaster@MyDomain.com"
      - "--certificatesresolvers.myresolver.acme.storage=/letsencrypt/acme.json"
    ports:
      - "80:80"
      - "443:443"
      - "8080:8080"
    environment:
      - CLOUDFLARE_EMAIL=MyAddres@gmail.com
      - CLOUDFLARE_DNS_API_TOKEN=jSk.....
    volumes:
      - "./letsencrypt:/letsencrypt"
      - "/var/run/docker.sock:/var/run/docker.sock:ro"

  whoami:
    image: "traefik/whoami"
    container_name: "simple-service"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.whoami.rule=Host(`whoami.MyDomain.com`)"
      - "traefik.http.routers.whoami.entrypoints=websecure"
      - "traefik.http.routers.whoami.tls.certresolver=myresolver"

  web1:
    image: nginx:latest
    container_name: "web1"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.web1.rule=Host(`web1.MyDomain.com`)"
      - "traefik.http.routers.web1.entrypoints=websecure"
      - "traefik.http.routers.web1.tls.certresolver=myresolver"
    volumes:
      - ./index1.html:/var/www/websites/index.html
      - ./default.conf:/etc/nginx/conf.d/default.conf

  web2:
    image: nginx:latest
    container_name: "web2"
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.web2.rule=Host(`web2.MyDomain.com`)"
      - "traefik.http.routers.web2.entrypoints=websecure"
      - "traefik.http.routers.web2.tls.certresolver=myresolver"
    volumes:
      - ./index2.html:/var/www/websites/index.html
      - ./default.conf:/etc/nginx/conf.d/default.conf
  nginx:
    image: nginx:latest
    container_name: web-serv
    labels:
      - "traefik.enable=true"
      - "traefik.http.routers.web.rule=Host(`web.MyDomain.com`)"
      - "traefik.http.routers.web.entrypoints=websecure"
      - "traefik.http.routers.web.tls.certresolver=myresolver"
    # ports:
    #   - 80:80
    #   - 443:443
    volumes:
      - ./wordpress:/var/www/wordpress
      - ./websites:/var/www/websites
      - ./conf.d:/etc/nginx/conf.d
  mysql:
    image: mysql:latest
    container_name: db-serv
    environment:
      MYSQL_DATABASE: wpdb
      MYSQL_USER: wpuser
      MYSQL_PASSWORD: ..........
      MYSQL_ROOT_PASSWORD: ..........
    volumes:
      - ./dbdata:/var/lib/mysql
  php-fpm:
    image: bitnami/php-fpm:latest
    container_name: php-fpm
    volumes:
      - ./wordpress:/var/www/wordpress
  ssh-serv:
    image: debian:bookworm-slim
    container_name: ssh-serv
    tty: true # keep container running
    ports:
      - 2222:22
    volumes:
      - ./wordpress:/var/www/wordpress
volumes:
  dbdata:
  wordpress:
  websites:
  conf.d:
  logs:
    name: "Traefik_logs"
2

Try to add loadbalancer.server.port to the labels to indicate which target service port to use.

To use target service with TLS, you can add global insecureSkipVerify.

3

I am not following you.

web1, web2 and whoami all work so the external network isl working.
The problem is with the internal network. I have no idea why I am getting a TLS error. This traefik routing/ layers are crazy.

The load ballancer is on the wrong layer and would simply introduce another potential problem.

4

load balancing is the process of distributing a set of tasks over a set of resources, with the aim of making their overall processing more efficient.

This is not my problem with SSL over wordpress

5

"GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0"

6

loadbalancer.server.port is the (maybe misleadingly named) service parameter to indicate which port to use of the target service. (Doc Example)

This is recommended when a container image exposes none or multiple ports via Dockerfile config, so Traefik knows which port to use when connecting to the target service/container.

Traefik logic:
entrypoint -> router -> middleware -> service