Traefik 2.x - Path processing being weird

Traefik Traefik v2 (latest)
, , ,
1

Hi. What i`m trying to do:

have an app, call it mm.$domain available on the web via said subdomain.
DNS record is setup and working.
have Trafik dashboard available via mm.$domain/traefik and dozzle available via mm.$domain/dozzle

mm.$domain - main app - has to have SSL, rest ait.

What i`m getting:

  1. mm.$domain app IS avalable. Certificate generated. Example of compose file will point towards staging server, but ive tried it against prod and confirmed both via examining the acme.json and via browser that cert is there. HOWEVER, connection to mm.$domain still shown as NOT SECURE.

  2. mm.$domain/traefik and mm.$domain/dozzle just return 404. It redirects to HTTPS even if i comment out the rules for forcefull HTTPS termination.
    compose file:

version: '3.3'
networks:
mm-in:
driver: bridge
mm-out:
driver: bridge
volumes:
mm-dbdata:
traefik-certs:

services:
postgres:
image: postgres
restart: unless-stopped
security_opt:
- no-new-privileges:true
pids_limit: 100
read_only: true
tmpfs:
- /tmp
- /var/run/postgresql
networks:
- mm-in
volumes:
- mm-dbdata:/var/lib/postgresql/data
- /etc/localtime:/etc/localtime:ro
environment:
- TZ=Europe/Kiev
- POSTGRES_USER
- POSTGRES_PASSWORD
- POSTGRES_DB
mattermost:
image: mattermost/mattermost-team-edition
restart: unless-stopped
container_name: mattermost
security_opt:
- no-new-privileges:true
pids_limit: 200
depends_on:
- postgres
networks:
- mm-in
- mm-out
volumes:
- /home/flar/mm/volumes/app/mattermost/config:/mattermost/config:rw
- /home/flar/mm/volumes/app/mattermost/data:/mattermost/data:rw
- /home/flar/mm/volumes/app/mattermost/logs:/mattermost/logs:rw
- /home/flar/mm/volumes/app/mattermost/plugins:/mattermost/plugins:rw
- /home/flar/mm/volumes/app/mattermost/client/plugins:/mattermost/client/plugins:rw
- /home/flar/mm/volumes/app/mattermost/bleve-indexes:/mattermost/bleve-indexes:rw
environment:
- TZ=Europe/Kiev
- MM_SERVICESETTINGS_SITEURL=https://$DOMAIN
- MM_SQLSETTINGS_DRIVERNAME
- MM_SQLSETTINGS_DATASOURCE
- MM_BLEVESETTINGS_INDEXDIR
labels:
- "traefik.docker.network=mm_mm-out"
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.mm-rtr.entrypoints=https"
- "traefik.http.routers.mm-rtr.rule=Host($DOMAIN)"
- "traefik.http.routers.mm-rtr.tls=true"
## HTTP Services
- "traefik.http.routers.mm-rtr.service=mm-svc"
- "traefik.http.services.mm-svc.loadbalancer.server.port=8065"

traefik:
restart: "unless-stopped"
image: traefik
container_name: traefik
ports:
- target: 80
published: 80
protocol: tcp
mode: host
- target: 443
published: 443
protocol: tcp
mode: host
- target: 8080
published: 8080
protocol: tcp
mode: host
networks:
- mm-out
environment:
- TZ=Europe/Kiev
- NETLIFY_TOKEN=$NETLIFY_TOKEN
command:
- --api.dashboard=true
- --api.insecure=true
- --global.checkNewVersion=true
- --global.sendAnonymousUsage=true
- --entryPoints.http.address=:80
- --entryPoints.https.address=:443
- --api=true
- --log=true
- --log.level=DEBUG
- --accesslog=true
- --accesslog.filePath=/logs/access.log
- --accesslog.format=json
- --accessLog.bufferingSize=100
- --accessLog.filters.statusCodes=400-499

providers

 - --providers.docker=true
 - --providers.docker.endpoint=unix:///var/run/docker.sock
 - --providers.docker.exposedByDefault=false
 - --providers.docker.swarmMode=false
 - --providers.docker.network=mm_mm-out
 - --providers.file.directory=/rules

- --providers.file.filename=/path/to/file # Load dynamic configuration from a file.

 - --providers.file.watch=true # Only works on top level files in the rules folder
 - --entrypoints.https.http.tls.options=tls-opts@file

resolvers \ DNS challange

 - --certificatesResolvers.dns-netlify.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory
 - --certificatesResolvers.dns-netlify.acme.email=$EMAIL
 - --certificatesResolvers.dns-netlify.acme.storage=/acme/acme.json
 - --certificatesResolvers.dns-netlify.acme.dnsChallenge.provider=netlify
 - --certificatesResolvers.dns-netlify.acme.dnsChallenge.delayBeforeCheck=90 # To delay DNS check and reduce LE hitrate
 - --certificatesresolvers.dns-netlify.acme.tlschallenge=true
volumes:
  - /var/run/docker.sock:/var/run/docker.sock
  - /home/flar/mm/traefik/acme:/acme
  - /home/flar/mm/traefik/rules:/rules
  - /home/flar/mm/traefik/logs/access.log:/logs/access.log
labels:
  - "traefik.docker.network=mm_mm-out"
  - "traefik.enable=true"
  # HTTP-to-HTTPS Redirect
  - "traefik.http.routers.http-catchall.entrypoints=http"
  - "traefik.http.routers.http-catchall.rule=HostRegexp(`{host:.+}`)"
  - "traefik.http.routers.http-catchall.middlewares=redirect-to-https"
  - "traefik.http.middlewares.redirect-to-https.redirectscheme.scheme=https"
  # HTTP Routers
  - "traefik.http.routers.traefik-rtr.entrypoints=https"
  - "traefik.http.routers.traefik-rtr.rule=Host(`*mm.$DOMAIN`) && (PathPrefix(`/traefik`))"

- "traefik.http.routers.traefik-rtr.rule=Host(traefik.$DOMAIN)"

  - "traefik.http.routers.traefik-rtr.tls=true" # Some people had 404s without this
  - "traefik.http.routers.traefik-rtr.tls.certresolver=dns-netlify"
  - "traefik.http.routers.traefik-rtr.tls.domains[0].main=$DOMAIN"
  - "traefik.http.routers.traefik-rtr.tls.domains[0].sans=*.$DOMAIN"
  ## Services - API
  - "traefik.http.routers.traefik-rtr.service=api@internal"
  - "traefik.http.routers.traefik-rtr.middlewares=traefik-strip"
  - "traefik.http.middlewares.traefik-strip.stripprefix.prefixes=/traefik"

dozzle:
image: amir20/dozzle:latest
restart: unless-stopped
container_name: dozzle
networks:
- mm-out
environment:
- TZ=Europe/Kiev
volumes:
- /var/run/docker.sock:/var/run/docker.sock
labels:
- "traefik.enable=true"
## HTTP Routers
- "traefik.http.routers.dozzle-rtr.entrypoints=http"
- "traefik.http.routers.dozzle-rtr.rule=PathPrefix(/dozzle)"

- "traefik.http.routers.dozzle-rtr.tls=true"

  ## HTTP Services
  - "traefik.http.routers.dozzle-rtr.service=dozzle-svc"
  - "traefik.http.services.dozzle-svc.loadbalancer.server.port=8080"
  - "traefik.http.routers.dozzle-rtr.middlewares=dozzle-strip"
  - "traefik.http.middlewares.dozzle-strip.stripprefix.prefixes=/dozzle"
2

Please format your code with 3 backticks or use </> button when code is selected. It improves readability and shows more details, in yml format every (missing) space matters.

You need to assign your certresolver (by name) either globally to you https entrypoint or to every router individually.

And it helps Traefik when every rule includes a Host(), otherwise you might see TLS/SSL warnings in the log.

3

Most web-apps can not simply be run with a path prefix, even if you strip it away during request forward. The service might respond with redirects and links that are not including your custom path prefix, therefore end up somewhere else. It only works when the web-app is path-aware and you can set the "base url" somewhere. It is best practice to use a sub-domain for web-apps instead of a path prefix.

4

Sorry for the poor formatting - as my account here is new, post were postponed to be checked by administration, so i couldn`t really check if the quote applied correctly, and it did not.

Ive switched to using subdomain and it works as expected now.
Topic can be closed.

5

I think you can set a comment here as solution to mark the topic as resolved.

6

This topic was automatically closed 3 days after the last reply. New replies are no longer allowed.