With the update from v2.6.7 to v.2.7.1 or higher, the Home-Assistant application is unable to connect when using the subdomain name. Firefox can’t establish a connection to the server at wss://assistant.mydomain.nl/api/websocket. This is message show in the browser when using the webtools (F12). This is after a successful login with 2FA on my subdomain in Home-Assistant.
Switching back to Traefik v2.6 result in a normal situation. Both applications run in Docker-containers for more than a year. Are there any breaking changes in Traefik in the later releases?
My setup is all using docker containers and for Traefik I'am using the dynamic file setup as described in Traefik 2 Basic Configuration
traefik: docker-compose.yaml
version: '3.3'
services:
traefik:
image: traefik:v2.6 <--- changing this to v2.7 of v2.8 disable the connection in HA
container_name: traefik
restart: always
security_opt:
- no-new-privileges:true
ports:
- 80:80
- 443:443
volumes:
- /etc/localtime:/etc/localtime:ro
- /var/run/docker.sock:/var/run/docker.sock:ro
- /var/log/traefik:/var/log/traefik
- ./traefik.yml:/traefik.yml:ro
- ./acme.json:/acme.json
# Add folder with dynamic configuration
- ./configurations:/configurations
- traefik-logs:/var/log/traefik
networks:
proxy:
ipv4_address: 172.31.0.10
command:
- --web
- --logLevel=INFO
- --accessLog.filePath="/var/log/traefik/access.log"
- --traefikLog.filePath="/var/log/traefik/traefik.log"
- --traefikLog.format="json"
- --accessLog.format="json"
- --accessLog.filters.statusCodes=400-499
networks:
proxy:
external: true
volumes:
traefik-logs:
traefik.yml
global:
checkNewVersion: true
sendAnonymousUsage: true
api:
dashboard: true
debug: true
insecure: false
entryPoints:
web:
address: :80
http:
redirections:
entryPoint:
to: websecure
proxyProtocol:
insecure: true
trustedIPs:
- "127.0.0.1"
- "192.168.2.1"
forwardedHeaders:
insecure: true
trustedIPs:
- "127.0.0.1"
- "192.168.2.1"
websecure:
address: :443
proxyProtocol:
insecure: true
trustedIPs:
- "127.0.0.1"
- "192.168.2.1"
- "172.31.0.10"
forwardedHeaders:
insecure: true
trustedIPs:
- "127.0.0.1"
- "192.168.2.1"
- "172.31.0.10"
http:
middlewares:
- secureHeaders@file
- nofloc@file
tls:
certResolver: letsencrypt
pilot:
dashboard: false
providers:
file:
directory: /configurations
watch: true
certificatesResolvers:
letsencrypt:
acme:
email: myname@mydomein.nl
storage: acme.json
keyType: EC384
httpChallenge:
entryPoint: web
buypass:
acme:
email: myname@mydomein.nl
storage: acme.json
caServer: https://api.buypass.com/acme/directory
keyType: EC256
httpChallenge:
entryPoint: web
log:
filePath: "/var/log/traefik/traefik.log"
accessLog:
filePath: "/var/log/traefik/access.log"
The dynamic configuration file that I use.
router.yml
http:
routers:
homeassistant:
service: hassistant-service
middlewares:
- redirect
rule: "Host(`assistant.mydomein.nl`)"
services.yml
http:
# region services
services:
hassistant-service:
loadBalancer:
servers:
- url: "http://172.31.0.24:8123"
passHostHeader: true
middleware.yml
http: # Add the middlewares
middlewares:
test-compress:
compress: {}
redirect:
redirectScheme:
scheme: https
permanent: true
nofloc:
headers:
customResponseHeaders:
Permissions-Policy: "interest-cohort=()"
secureHeaders:
headers:
browserXssFilter: true
contentTypeNosniff: true
referrerPolicy: "strict-origin-when-cross-origin" # Referrer-Policy
frameDeny: true
featurePolicy: "vibrate 'none';" # Feature-Policy header
forceSTSHeader: true
stsIncludeSubdomains: true
stsPreload: true
stsSeconds: 31536000
default-whitelist:
ipWhiteList:
sourceRange:
- "10.0.0.0/8"
- "192.168.0.0/16"
- "172.16.0.0/12"
and tls.yml
tls:
options:
default:
maxVersion: VersionTLS13
cipherSuites:
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
maxtls12:
maxVersion: VersionTLS12
Thanks in advance.
Johan