Traefik 2.7 of higher with Home-Assistant is unable to connect

Traefik Traefik v2 (latest)
1

With the update from v2.6.7 to v.2.7.1 or higher, the Home-Assistant application is unable to connect when using the subdomain name. Firefox can’t establish a connection to the server at wss://assistant.mydomain.nl/api/websocket. This is message show in the browser when using the webtools (F12). This is after a successful login with 2FA on my subdomain in Home-Assistant.
Switching back to Traefik v2.6 result in a normal situation. Both applications run in Docker-containers for more than a year. Are there any breaking changes in Traefik in the later releases?

My setup is all using docker containers and for Traefik I'am using the dynamic file setup as described in Traefik 2 Basic Configuration

traefik: docker-compose.yaml

version: '3.3'

services:

  traefik:
    image: traefik:v2.6  <--- changing this to v2.7 of v2.8 disable the connection in HA
    container_name: traefik
    restart: always
    security_opt:
      - no-new-privileges:true
    ports:
      - 80:80
      - 443:443
    volumes:
      - /etc/localtime:/etc/localtime:ro
      - /var/run/docker.sock:/var/run/docker.sock:ro
      - /var/log/traefik:/var/log/traefik
      - ./traefik.yml:/traefik.yml:ro
      - ./acme.json:/acme.json
      # Add folder with dynamic configuration
      - ./configurations:/configurations
      - traefik-logs:/var/log/traefik
    networks:
      proxy:
        ipv4_address: 172.31.0.10
    command:
      - --web
      - --logLevel=INFO
      - --accessLog.filePath="/var/log/traefik/access.log"
      - --traefikLog.filePath="/var/log/traefik/traefik.log"
      - --traefikLog.format="json"
      - --accessLog.format="json"
      - --accessLog.filters.statusCodes=400-499

networks:
  proxy:
    external: true
volumes:
  traefik-logs:

traefik.yml

global:
  checkNewVersion: true
  sendAnonymousUsage: true

api:
  dashboard: true
  debug: true
  insecure: false

entryPoints:
  web:
    address: :80
    http:
      redirections:
        entryPoint:
          to: websecure
    proxyProtocol:
      insecure: true
      trustedIPs:
        - "127.0.0.1"
        - "192.168.2.1"
    forwardedHeaders:
      insecure: true
      trustedIPs:
        - "127.0.0.1"
        - "192.168.2.1"

  websecure:
    address: :443
    proxyProtocol:
      insecure: true
      trustedIPs:
        - "127.0.0.1"
        - "192.168.2.1"
        - "172.31.0.10"
    forwardedHeaders:
      insecure: true
      trustedIPs:
        - "127.0.0.1"
        - "192.168.2.1"
        - "172.31.0.10"
    http:
      middlewares:
        - secureHeaders@file
        - nofloc@file
      tls:
        certResolver: letsencrypt

pilot:
  dashboard: false

providers:
  file:
    directory: /configurations
    watch: true

certificatesResolvers:
  letsencrypt:
    acme:
      email: myname@mydomein.nl
      storage: acme.json
      keyType: EC384
      httpChallenge:
        entryPoint: web

  buypass:
    acme:
      email: myname@mydomein.nl
      storage: acme.json
      caServer: https://api.buypass.com/acme/directory
      keyType: EC256
      httpChallenge:
        entryPoint: web

log:
  filePath: "/var/log/traefik/traefik.log"

accessLog:
  filePath: "/var/log/traefik/access.log"

The dynamic configuration file that I use.

router.yml

http:
  routers:
    homeassistant:
      service: hassistant-service
      middlewares:
        - redirect
      rule: "Host(`assistant.mydomein.nl`)"

services.yml

http:
  # region services
  services:
    hassistant-service:
      loadBalancer:
        servers:
         - url: "http://172.31.0.24:8123"
        passHostHeader: true

middleware.yml

http: # Add the middlewares
   middlewares:
    test-compress:
      compress: {}
    redirect:
      redirectScheme:
        scheme: https
        permanent: true
    nofloc:
      headers:
        customResponseHeaders:
          Permissions-Policy: "interest-cohort=()"
    secureHeaders:    
      headers:
        browserXssFilter: true
        contentTypeNosniff: true
        referrerPolicy: "strict-origin-when-cross-origin"   # Referrer-Policy
        frameDeny: true
        featurePolicy: "vibrate 'none';"    # Feature-Policy header
        forceSTSHeader: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 31536000

    default-whitelist:
      ipWhiteList:
        sourceRange:
        - "10.0.0.0/8"
        - "192.168.0.0/16"
        - "172.16.0.0/12"

and tls.yml

tls:
  options:
    default:
      maxVersion: VersionTLS13
      cipherSuites:
        - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
        - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
        - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
        - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305

    maxtls12:
      maxVersion: VersionTLS12

Thanks in advance.

Johan

2

I got the same problem. The issue seems to be in the redirect scheme middleware.
Removing the line 'permanent: true' solved it for me.

I don't know why. But i also don't really understand why i needed the redirect scheme middleware in the first place. Because it works without it and i already have an http-to-https redirect schema in the web (http) router

3

Thanks for the reply on my question.
I've tried it with commenting out the line 'permanent: true'. With Traefik 2.6.7 it still works. Unfortunately not with 2.8, sorry.

4

As it is with containers I stopped Traefik in the container, removed it and deleted all the Traefik images. In the Docker-compose file I changed the image name traefik:v2.8 and run the docker-compose file.
I am happy to say that it works with Home-Assistant.

5

I also ran into this same issue. Turns out it was something wrong with the letsencrypt TLS certificate (expired?). Solved it by deleting the acme.json file and letting traefik obtain new certs. Now able to log into Home Assistant again

6

just remove or comment out from middlewares-chains.yml line - middlewares-https-redirectscheme